All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'm able to calculate the time difference between the start and end time of my job. I want to display the string value in bar chart how to achieve this. index=music Job=* | eval Duration=(end-start... See more...
I'm able to calculate the time difference between the start and end time of my job. I want to display the string value in bar chart how to achieve this. index=music Job=* | eval Duration=(end-start_time) | chart values(Duration) as Duration by "Start Time"
I need to upload CSS and HTML file on Splunk Cloud, Please help me with the steps to upload and use it in Dashboard customise. Since there is no option for upload asset in Splunk Cloud.
Hello Team, 9.4.0, thsooting prod, replicated the issue in staging, i have 1 indexer only. Performing all searches on that indexer: - when i search for "index=index1 sourcetype=mytype1" i got 0 res... See more...
Hello Team, 9.4.0, thsooting prod, replicated the issue in staging, i have 1 indexer only. Performing all searches on that indexer: - when i search for "index=index1 sourcetype=mytype1" i got 0 results - when i search for "index=index1" i got 1000 results and can see all of those are of sourcetype=mytype1 - when i search for "index=index1 | stats count by sourcetype" can see 0 statistics - when looking at those events manually - all of them are of sourcetype=mytype1. - checked job inspector, all looks good, nothing special I am admin. Full access. Searching with 15 min all all time (no difference, the same results) Sourcetype "mytype1" has been created by transforms: [set_sourcetype_1] REGEX =myhost\.pl DEST_KEY = MetaData:Sourcetype FORMAT = mytype1 WRITE_META = true No other definition of that sourcetype anywhere else (should i add it somewhere ??) What is wrong ? Why can not i search by sourcetype ? Thanks,
Hi. I have a file that I want to remove portion of it during index time. Remove all the text between ************************************** For example: ******************************************... See more...
Hi. I have a file that I want to remove portion of it during index time. Remove all the text between ************************************** For example: ********************************************************************** Started at : 25/02/16 04:07:04 Terminated at: Elapsed time : Software: Version: 6.0.0.0 Built : 6.0.0.0.20141102.1-Release_ 14/11/02 10:06:52 Context: Account: SOC Machine: NEW IP addr: 255.555.543 CPU : Dual-Core LOG Recycle Count: ********************************************************************** 25/02/16 04:07:04.834 | 7904 | TEST1 25/02/16 04:07:04.834 | 7904 | TEST2 25/02/16 04:07:04.865 | 7860 | TEST3 25/02/16 04:07:04.881 | 7860 | TEST4 ...  In the end I need to get: 25/02/16 04:07:04.834 | 7904 | TEST1 25/02/16 04:07:04.834 | 7904 | TEST2 25/02/16 04:07:04.865 | 7860 | TEST3 25/02/16 04:07:04.881 | 7860 | TEST4 Please assist Thanks
We have just upgraded to ES 8.0.2, and its is very bad or still in development stages and we want to roll back to 7.3, how can we do that keeping all our searches and notable data
I've been smashing my head against this issue for the past few hours. I need to check a multivalue field to see if it contains the "N/A" *and* any value that isn't "N/A". If this is true, I need to f... See more...
I've been smashing my head against this issue for the past few hours. I need to check a multivalue field to see if it contains the "N/A" *and* any value that isn't "N/A". If this is true, I need to filter whatever "N/A" exist within the field and return the remaining non-N/A values as a multivalue field.
This is Splunk Enterprise on-premise version  9.2.4 and the Config Explorer is version 1.7.16.  The splunkbase reports that Config Explorer 1.7.16 is compatible with all the Splunk 9 versions, 9.0-9.... See more...
This is Splunk Enterprise on-premise version  9.2.4 and the Config Explorer is version 1.7.16.  The splunkbase reports that Config Explorer 1.7.16 is compatible with all the Splunk 9 versions, 9.0-9.4 as of this writing.   The Upgrade Readiness App detected 1 app with deprecated Python on the my-server instance. config_explorer I have confirmed that in $SPLUNK/bin that the python3.7m executable reports it is version 3.7.17 and I have viewed the jsquery.js file in $SPLUNK/etc/apps/splunk_monitoring_console/src/visualizations/heatmap/node_modules/jquery/dist/. is jQuery JavaScript Library v3.5.0/jsquery.js  which is the only jsquery.js file in the $SPLUNK subdirectories. Why is the Upgrade Readiness App reporting a deprecated Python and why does my Splunk get warnings about Python and JQuery incompatibilities.  
I'm running the following command - | rest /services/server/sysinfo And it shows the indexer and the search head but not the heavy forwarder. What can it be? 
Hi everyone. I'm doing a query in which I sort it by time according to a variable and then calculate some metrics over the data. But I need to calculate these metrics without considering exactly t... See more...
Hi everyone. I'm doing a query in which I sort it by time according to a variable and then calculate some metrics over the data. But I need to calculate these metrics without considering exactly the first instance of my data, that is, the earliest one, as it's the one associated with the server being started daily and it's not valid for my needs. It's important to note that I don't have any information associated with this first instance before the query runs as its related to a script scheduled to run at a specific time, but it generates new values every time, and it's duration is variable, meaning that I don't know when it has finished. I cannot share information related to the data neither the query exactly, but it's of the form   index=... | stats ... | eval val1=... | eval time_val=... | sort time_val | eval val3=... | stats count...   How could I do this? 
Hi. In my company we have Symantec Endpoint Security (SES) which is in the cloud. I have created a Bearer Token and have made the configurations by symantec, the problem occurs when I need to integ... See more...
Hi. In my company we have Symantec Endpoint Security (SES) which is in the cloud. I have created a Bearer Token and have made the configurations by symantec, the problem occurs when I need to integrate it with Splunk. Someone with experience in Symantec who can help me.
Hi everyone. I have a query that calculates a number of metrics, such as average, max value, etc, for a specific date, given an interval from a dropdown menu. All the metrics are then output in a ... See more...
Hi everyone. I have a query that calculates a number of metrics, such as average, max value, etc, for a specific date, given an interval from a dropdown menu. All the metrics are then output in a table, in which a row represents one day and the columns are the metrics itself. I need to apply the same query to a number of days given an interval and output the result of each day as a new row on the column. For example, if the user queries through the past 5 days, I need five rows, each with the metrics associated only to the data from that day. How could I do this?
Hi Team  Can you please help me to create a statistic table based on the below requirement:  current output :  Expected Output:    Current query :  Index = xyz source = db  ... See more...
Hi Team  Can you please help me to create a statistic table based on the below requirement:  current output :  Expected Output:    Current query :  Index = xyz source = db  (TERM(A) OR TERM(B) OR TERM(C) OR TERM(D) ) ("- ENDED" OR "- STARTED" OR "ENDED - ABEND") | eval Function = case(like(TEXT, "%ENDED - ABEND%"), "ABEND" , like(TEXT, "%ENDED - TIME%"), "ENDED" , like(TEXT, "%STARTED - TIME%"), "STARTED") | eval DAT = strftime(relative_time(_time, "+0h"), "%d/%m/%Y") , {Function}_TIME=_time | rename DAT as Date_of_reception | stats max(Date_of_reception) as Date_of_reception max(STARTED_TIME) as STARTED_TIME max(ENDED_TIME) as ENDED_TIME  by JOBNAME | eval Application = case ( JOBNAME IN ( "A" ,"B") , "A1" , JOBNAME IN ( "C" , "D" ) , "A2" ) | table Application , JOBNAME, Date_of_reception , STARTED_TIME  , ENDED_TIME   
Hello everyone, We have recently started using ES8 with Mission Control and we would like to use Mission Control's API to export information. With the help of a POSTMAN, if we try to retrieve infor... See more...
Hello everyone, We have recently started using ES8 with Mission Control and we would like to use Mission Control's API to export information. With the help of a POSTMAN, if we try to retrieve information from an investigation with https://SPLUNK:8089/servicesNS/nobody/missioncontrol/v1/incidents/ES-00001, we get the information. Now in SPLUNK, if we pass the request | rest /servicesNS/nobody/missioncontrol, we get an answer. However, if we try | rest /servicesNS/nobody/missioncontrol/v1/incidents/ES-00001, we don't get an error message but 0 result. My user has admin rights. Does anyone have any idea why? Did we miss something? Thank you for the help!!!
Hello Everyone, I'm trying to create a playbook that based on the message provided by the prompt action, will update the container:open_time field. I already tried the following: 1. Use the contai... See more...
Hello Everyone, I'm trying to create a playbook that based on the message provided by the prompt action, will update the container:open_time field. I already tried the following: 1. Use the container_update custom function where i've set in the input_json box {"custom_fields": {"open_time": prompt_1:action_result.summary.responses.0}} 2. Created a new variable called prompt_value = container.get("prompt_1:action_result.summary.responses.1", None) input_json = {} input_json = {"container:open_time": prompt_value} parameters.append({ "inpu_json": json.dumps(input_json)}) But i'm receiving the following message  "Valid container entered but no valid container changes provided."   Perhaps someone has a different method to help me resolve this.
Hello Splunkers, Checking if anyone has successfully integrated Beyond Trust RS SaaS with Splunk , their official guide only talks about on-prem integration where a Middleware connector needs to be ... See more...
Hello Splunkers, Checking if anyone has successfully integrated Beyond Trust RS SaaS with Splunk , their official guide only talks about on-prem integration where a Middleware connector needs to be installed, but for Cloud Remote Support application how this can be achieved , is there a Custom TA for REST or a HEC can be used here. Appreciate some assistance here, Thanks! regards, Moh.    
I have a use-case where defanged IoC attachments are downloaded from outlook and uploaded into Splunk.   We will like to check if there is any Postman API to upload IoCs for a user with: a. Splunk... See more...
I have a use-case where defanged IoC attachments are downloaded from outlook and uploaded into Splunk.   We will like to check if there is any Postman API to upload IoCs for a user with: a. Splunk Enterprise license only (lookup table) b. Has Splunk Enterprise and Splunk Enterprise security license
How to solve my mongod.log file is empty 
kvstore featurecompatiability shows an error occured during the last operation ( ‘ get parameter’) domain 15 code 13053 no suitable server found serverselection Timeoutms’ expired[ tls handshake fail... See more...
kvstore featurecompatiability shows an error occured during the last operation ( ‘ get parameter’) domain 15 code 13053 no suitable server found serverselection Timeoutms’ expired[ tls handshake failed error:000000lib(0) :func(0):reason[0]     this above error is showing 
I'm building front end nodejs docker image, it need to install appd. My nodejs version is: v22 linux/amd64 appd version is: 24.12.0 but after the image built, then i try to start the server, then ... See more...
I'm building front end nodejs docker image, it need to install appd. My nodejs version is: v22 linux/amd64 appd version is: 24.12.0 but after the image built, then i try to start the server, then got below error: Appdynamics agent cannot be initialized due to Error: /appdynamics/node_modules/appdynamics-libagent-napi/appd_libagent.node: cannot open shared object file: No such file or directory Error:/node_modules/appdynamics/node_modules/appdynamics-libagent-napi/appd_libagent.node: cannot open shared object file: No such file or directory at Module._extensions..node (node:internal/modules/cjs/loader:1717:18) at Module.load (node:internal/modules/cjs/loader:1317:32) at Module._load (node:internal/modules/cjs/loader:1127:12) at TracingChannel.traceSync (node:diagnostics_channel:315:14) at wrapModuleLoad (node:internal/modules/cjs/loader:217:24) at Module.require (node:internal/modules/cjs/loader:1339:12) at require (node:internal/modules/helpers:125:16) at Module._compile (node:internal/modules/cjs/loader:1546:14) I checked and confirm the appd_libagent.node already under 
Hi everyone, I am using IAM identity Center as the IdP for SAML auth. I have 2 groups in the IdP and 2 SAML groups in Splunk with differing roles and the groups in the IdP contain different users.  ... See more...
Hi everyone, I am using IAM identity Center as the IdP for SAML auth. I have 2 groups in the IdP and 2 SAML groups in Splunk with differing roles and the groups in the IdP contain different users.  My issue is I am unable to work out how to assign a user to a group in Splunk based on the users group in the IdP. I can hard set the role attribute to the group name or even both group names and this will result in all users receiving the referenced Splunk group's role regardless of what group they are assigned to in the IdP.    Does anyone know how to resolve this issue or if there is a user attribute for group?