All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Experts,  I would need your help.  My Splunk Enterprise license is going to expire in the next 10 days but I have already installed a new license. Now I have two licenses in Splunk Enterprise... See more...
Hello Experts,  I would need your help.  My Splunk Enterprise license is going to expire in the next 10 days but I have already installed a new license. Now I have two licenses in Splunk Enterprise. first will expire in the next 10 days and the second is the new one. Please guide me if my newly added license will automatically take over when the old license will expire after 10 days or do I need to remove the old license right away so that the newly added license can take place?    
I want to group the below table as below, I have a column we’re numbers are in all series, I want to segregate 100 series separately and 400 series separately and get the count  kindly advise on the ... See more...
I want to group the below table as below, I have a column we’re numbers are in all series, I want to segregate 100 series separately and 400 series separately and get the count  kindly advise on the query  num1   Count of 100series   Count of 400ser 100        100                                 400 123         123                                402 400 402
 I have a field "facilityAlias" for which location can be changed in every api log file. I have to extract that field using Regex method. I have tried Regex statement but not getting expected result.... See more...
 I have a field "facilityAlias" for which location can be changed in every api log file. I have to extract that field using Regex method. I have tried Regex statement but not getting expected result. Regex statement: rex field=_raw "facilityAlias\":\"(?<facility>.*)\"," expected result: Parc de Salut Mar Barcelona current result: Parc de Salut Mar Barcelona","systemName":"CMPSB   Sample Log file: sample log: 2023-01-02 23:36:58,521 [[MuleRuntime].uber.3869: [abcd-message-kdhskhdsk-api].Delete_msg_from_queue.BLOCKING @27fe0275] INFO  com.skdhksh.jsdhjshd.hsd.logging.internal.CustomLoggerOperations - {"environment":"stag36rcf_eu-env","applicationName":"abcd-message-kdhskhdsk-api","correlationId":"kshddhks-3o4u-jshd8-aksdbkadkahd","apiProcessingTime":347,"totalProcessingTime":740,"tracePoint":"END","logMessage":"{\n  \"url\": \"abcd\",\n  \"bucketName\": \"dipeus-data-store\",\n  \"s3versionID\": \"shdkshdkshdkshdkshdkshdkjshd\",\n  \"s3key\": \"ljdljdlajldj]dsdsd\ksdjksjdksjdksjdksjksjd\ksdjksjd\"\n}","txnMetadata":{"bundleId":"ahsdkhsdh-skjdhshdkshd-skdhshdks-skdhkshd","messageType":"abcd","messageSubType":"kdshdkshdks","facilityAlias":"Parc de Salut Mar Barcelona","systemName":"CMPSB","transactionStartTime":1672702617781,"relatesToPatientMerge":false,"inputPayload":"adhkjshdkshdkshdkshd"},"apiStartTime":"1672702618174"}
Can anyone explain what is ad hoc search?
Hi all, I deal with a multi-value fields and try to provide a multiselect dropdown for users. Therefore, I use mvfind() in the setting for Token value(prefix) / Token value(Suffix). Token value(Pr... See more...
Hi all, I deal with a multi-value fields and try to provide a multiselect dropdown for users. Therefore, I use mvfind() in the setting for Token value(prefix) / Token value(Suffix). Token value(Prefix) = isnotnull(mvfind( HWid, " Token value(Suffix) = ")) It works well if I input one HW ID or many HW ID. However, I get trouble in inputing "all". I want to provide users all events by default but I am unable to find a way to do this by using mvfind(). It is similar as wildchar (all any values) to mvfind(). Is there any suggestion on how to provide all events on mvfind() ? Thank you so much! Jouman
I have uploaded the screenshots of logs of same time but in one log stack and task field is empty and in one it is filled . What is the reason behind ?  Can someone help me to figure it out?
My free Splunk cloud acct is locked at the moment. I'm using it for an Interview. Thankfully I've been able to complete my dev and code on the local deployment. I've sent support a email: support at ... See more...
My free Splunk cloud acct is locked at the moment. I'm using it for an Interview. Thankfully I've been able to complete my dev and code on the local deployment. I've sent support a email: support at splunk dot com. I also have a dev license however, I was not able to apply it to my cloud acct when I did have the access. Was a success for a local win 10 server however. Could someone explain to me the brief process of resetting my account. I've used 3 cloud providers and other PaaS's with issues and personally, I'm lost.  
Hello,  Need help with setting alerts for any event not started by a specific time. I have a lookup file with details for many batch jobs with details like job name, Run date, Start time and aler... See more...
Hello,  Need help with setting alerts for any event not started by a specific time. I have a lookup file with details for many batch jobs with details like job name, Run date, Start time and alert time. job name           run date                                                                     Start time     alert time job1                      1st working date of every month                     9:00                  10:00 job 2                     1st working date of every month                    11:00                 12:00 job3                      1st working date of every month                     12:00                13:00 job4                      1st working date of every month                    13:00                 14:00 when the job runs we see an event with job name, start date, start time, end date, end time and status etc. if any job is not started by the alert time on first of every month  I want to trigger an alert to notify the user that the batch job is not started. Appreciate your help. Vijay  
I wanted to represent the incident data of total number opened and closed status biweekly. Please help
How can we Stop Docker from sending these logs? We recently disable the ingestion from Docker to Splunk on the Splunk HEC settings. But after we disable and delete the HEC settings in Splunk this i... See more...
How can we Stop Docker from sending these logs? We recently disable the ingestion from Docker to Splunk on the Splunk HEC settings. But after we disable and delete the HEC settings in Splunk this issue occurs. 01-02-2023 09:33:13.494 -0800 ERROR HttpInputDataHandler [54154 HttpDedicatedIoThread-0] - Failed processing http input, token name=n/a, channel=n/a, source_IP=10.22.100.6, reply=4, events_processed=0, http_input_body_size=291831, parsing_err="" 01-02-2023 09:33:13.379 -0800 ERROR HttpInputDataHandler [54154 HttpDedicatedIoThread-0] - Failed processing http input, token name=n/a, channel=n/a, source_IP=10.22.100.6, reply=4, events_processed=0, http_input_body_size=225158, parsing_err="" We are getting almost 5,000 ERROR every day.  We try to delete the daemon.json in the docker https://docs.docker.com/config/containers/logging/splunk/ But the docker is still sending error logs.
Hello, The question is pretty simple, is there any way to query a KVstore to be able to find the last time that KVstore was updated? I know how to do what for an Index but the query doesn't work ... See more...
Hello, The question is pretty simple, is there any way to query a KVstore to be able to find the last time that KVstore was updated? I know how to do what for an Index but the query doesn't work for KVstores Thank you
Hi How can we find out the list of universal forwarders sending data to Splunk? Also, how do we ensure that all the UF that have been configured are sending data to Splunk? Thank you so much in ad... See more...
Hi How can we find out the list of universal forwarders sending data to Splunk? Also, how do we ensure that all the UF that have been configured are sending data to Splunk? Thank you so much in advance
I can't set up the sending of Windows logs with Splunk Event Log. No information appears on the console SlunkCloud, either the logs or just the computer name. I followed the procedure by installing a... See more...
I can't set up the sending of Windows logs with Splunk Event Log. No information appears on the console SlunkCloud, either the logs or just the computer name. I followed the procedure by installing and configuring Universal Forwarder, and installing the add-on on the console, but it doesn't seem to work. Do you have any suggestions on how to solve this problem ?
Antibot related logs are not appearing in the  datamodel results when I run a search query using below datamodel based. Could you please guide me how to fix this issue. Thank you. | from datamodel:... See more...
Antibot related logs are not appearing in the  datamodel results when I run a search query using below datamodel based. Could you please guide me how to fix this issue. Thank you. | from datamodel:"Intrusion_Detection".AntiBot | search Gateway=xxxxxx But when I run a search query using below index based, logs are able to see it. index=checkpoint product=Anti-Bot signature!="" severity IN (High, critical) confidence_level=low Below is the sample log line. time=1672655849|hostname=xxxx|severity=High|confidence_level=Low|product=Anti-Bot|action=Detect|ifdir=outbound|ifname=eth3|loguid={0x5127e871,0xbd548381,0xe17d3047,0x8b1277fc}|origin=x.x.x.x|originsicname=CN\=XXXXX,O\=XXXXXX|sequencenum=11|time=1672655849|version=5|dns_message_type=Query|dst=X.X.X.X|lastupdatetime=1672658788|log_id=2|malware_action=Trying to locate a C&C|malware_rule_id={XXXXX}|malware_rule_name=Anti-Bot Prevent Mode|policy=XXXX|policy_time=1668791496|protection_id=XXX|protection_name=XXXXX|protection_type=DNS reputation|proto=17|question_rdata=XXX|received_bytes=0|resource=technetium.network|rule_name=XXX|rule_uid=XXXX|s_port=53361|scope=x.x.x.x|sent_bytes=0|service=xx|session_id={0x63b26e99,0x11,0x5f17f465,0xc5683bca}|smartdefense_profile=XXXX Standard Anti-bot - Prevent|src=x.x.x.x|suppressed_logs=10|tid=57558|layer_name=IPS|layer_name=IPS|layer_name=IPS|layer_uuid={xxxx}|layer_uuid={xxxx}|layer_uuid={xxxx}|layer_uuid={xxx}|layer_uuid={xxxx}|layer_uuid={xxxx}|malware_rule_id={xxxxx}|malware_rule_id={xxxxx}|malware_rule_id={xxxxx}|malware_rule_id={xxxxx}|malware_rule_id={xxxxx}|malware_rule_id={xxxxx}|malware_rule_name=IPS - Prevent Profile|malware_rule_name=Anti-Bot Prevent Mode|malware_rule_name=IPS - Prevent Profile|malware_rule_name=Anti-Bot Prevent Mode|malware_rule_name=IPS - Prevent Profile|malware_rule_name=Anti-Bot Prevent Mode|smartdefense_profile=XXXX Standard IPS - Prevent|smartdefense_profile=XXX Standard Anti-bot - Prevent|smartdefense_profile=xxxxx Standard IPS - Prevent|smartdefense_profile=xxxxx Standard Anti-bot - Prevent|smartdefense_profile=xxxxx Standard IPS - Prevent|smartdefense_profile=xxxxx Standard Anti-bot - Prevent  
Hi, When using the "Insert link" option in "Markdown Text" in Dashboard Studio I would like the link/URL to open in a new Window tab. I found below suggestions however neither of these options seems... See more...
Hi, When using the "Insert link" option in "Markdown Text" in Dashboard Studio I would like the link/URL to open in a new Window tab. I found below suggestions however neither of these options seems to work. [link](url){:target="_blank"}  <a href="http://example.com/" target="_blank">Hello, world!</a> Any suggestions?
I configured the Splunk triggered actions slack and datadog events but I am getting only slack notification but datadog events not creating or triggering   Below Is the configuration   
I have a use case where i would need to use regex to extract values only if a condition is met.         index=sample [search index=sample key=my_key |table msg host] | rex max_match=0 fie... See more...
I have a use case where i would need to use regex to extract values only if a condition is met.         index=sample [search index=sample key=my_key |table msg host] | rex max_match=0 field=_raw "a\d=\"(?<test>.*?)\"" | eval a = if(len(a)>255 OR isnull(a),"*Regex and if statements need to be here*",a) | stats values(test) as test by msg host             The aim is to use regex inside the if statement . The logic is if len(a) or a is null then use regex and populate the value test. I am looking for the same functionality as match() but instead of bool value I need the matched results. Is there any way to get this functionality?
Hi All, I want to delete few services and its entities from splunk ITSI search head. If I delete the services directly , does it remove all the associated entities ?  Regards, PNV
 
msiexec.exe /qn /I splunkforwarder-9.0.2-17e00c557dc1-x64-release.msi DEPLOYMENT_SERVER="10.0.0.7:8089" SPLUNKUSERNAME=Admin SPLUNKPASSWORD=S@M3!! AGREETOLICENSE=Yes  LAUNCHSPLUNK=0 This appears ... See more...
msiexec.exe /qn /I splunkforwarder-9.0.2-17e00c557dc1-x64-release.msi DEPLOYMENT_SERVER="10.0.0.7:8089" SPLUNKUSERNAME=Admin SPLUNKPASSWORD=S@M3!! AGREETOLICENSE=Yes  LAUNCHSPLUNK=0 This appears to be an upgrade of Splunk. --------------------------------------------------------------------------------) Splunk has detected an older version of Splunk installed on this machine. To finish upgrading to the new version, Splunk's installer will automatically update and alter your current configuration files. Deprecated configuration files will be renamed with a .deprecated extension. You can choose to preview the changes that will be made to your configuration files before proceeding with the migration and upgrade: If you want to migrate and upgrade without previewing the changes that will be made to your existing configuration files, choose 'y'. If you want to see what changes will be made before you proceed with the upgrade, choose 'n'. Perform migration and upgrade without previewing configuration changes? [y/n] y -- Migration information is being logged to 'c:\program files\splunkuniversalforwarder\var\log\splunk\migration.log.2022-12-31.15-42-09' -- Migrating to: VERSION=9.0.2 BUILD=17e00c557dc1 PRODUCT=splunk PLATFORM=Windows-AMD64   It seems that the Splunk default certificates are being used. If certificate validation is turned on using the default certificates (not-recommended), this may result in loss of communication in mixed-version Splunk environments after upgrade. "c:\program files\splunkuniversalforwarder\etc\auth\ca.pem": already a renewed Splunk certificate: skipping renewal "c:\program files\splunkuniversalforwarder\etc\auth\cacert.pem": already a renewed Splunk certificate: skipping renewal Failed to start mongod. Did not get EOF from mongod after 5 second(s). [App Key Value Store migration] Starting migrate-kvstore. Created version file path=c:\program files\splunkuniversalforwarder\var\run\splunk\kvstore_upgrade\versionFile36 [App Key Value Store migration] Collection data is not available. ERROR - Failed opening "c:\program files\splunkuniversalforwarder\va