All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello, What are the recommended thresholds on the Splunk cloud SH Health Report Manager. Search Lag- Searches Delayed- Searches Skipped In- Thanks
Hello! I got trouble to find a way to provide panels for user-input percentage on raw events. User can input 90, 75, 50, 25, or any value to represent percentage 90, percentage 75, percentage 50, p... See more...
Hello! I got trouble to find a way to provide panels for user-input percentage on raw events. User can input 90, 75, 50, 25, or any value to represent percentage 90, percentage 75, percentage 50, percentage 25,  and so on. The corresponding events could be displayed in seperated panels. The number of panels displayed depends on how many counts of values from users' input. Does anyone have ideas to implement this? Thank you so much.
Hello,  Can someone help me figure out how to create a drilldown by clicking on a marker in a Dashboard Studio map? Additionally I need to be able to either customize the mouseover tooltip or at le... See more...
Hello,  Can someone help me figure out how to create a drilldown by clicking on a marker in a Dashboard Studio map? Additionally I need to be able to either customize the mouseover tooltip or at least at another field other that it just displaying the Lat Lon. Thanks, David
For an index the job are getting queued when ever the users runs the searchs. Please let me where to increase/tweak the quota.    
On a Windows Server when I go to Settings \ Monitoring Console and launch it, there is a Menu item called: Forwarders: Instance which appears not to be configured and when I try to run setup I get th... See more...
On a Windows Server when I go to Settings \ Monitoring Console and launch it, there is a Menu item called: Forwarders: Instance which appears not to be configured and when I try to run setup I get this warning about it effecting performance, so my question is, are any of you running this feature? Forwarder Monitoring Setup Forwarder monitoring dashboards provide information on forwarder activity and throughput. If you turn on forwarder monitoring, Splunk Enterprise enables a scheduled search named "DMC Forwarder - Build Asset Table"  that relies on internal network input metrics that your indexers record. If you have many forwarders, this search can significantly affect the search workload of the indexers. To mitigate the cost of this search, increase the data collection interval so that the search runs less frequently. Learn More  Forwarders: Instance Forwarder Monitoring is disabled. Please go to the setup page to enable it.    
Hello, I have a server indexer that crashes from time to time, what is the best way to investigate what caused the problem? How can I see the logs through index=_internal and splunkd.log?
Hello!! If a new event log is generated in the index, is it possible the Python script reads the event log and generates a new log? I want to analyze event log by python script and draw a graph on ... See more...
Hello!! If a new event log is generated in the index, is it possible the Python script reads the event log and generates a new log? I want to analyze event log by python script and draw a graph on dashboard by analyzed new log.
hai all, how to resolve high memore usage on splunk universal forwarder  how to check due to which files causing the issue. any steps to trobleshoot memory issues
Hello, I have a problem with a custom app in Splunk. I've written a simple app that uses the Python requests-library to query the Microsoft Graph API. It works perfectly for most queries, but when I... See more...
Hello, I have a problem with a custom app in Splunk. I've written a simple app that uses the Python requests-library to query the Microsoft Graph API. It works perfectly for most queries, but when I try to use it to get all users in our AAD environment, it throws an error: ERROR ChunkedExternProcessor [111784 phase_1] - Failed to find newline while reading transport header. This always happens at the same page (I have to use pagination, since the API returns 100 lines per response). I've looked at that page, and the one after, but nothing special caught my eye. This is a Splunk-specific issue: I can use the requests-library to get all the results and the json-library to dump them with no problems, but when I use these in conjunction with splunklib and yield the results as rows, I get the error above. The logs (with debug-mode on) don't seem to have any other clues. Could this be an encoding issue - could the results have some special characters that throw the Python code off somehow? Any help is greatly appreciated!
anyone else find that running the automagic app version updates is hit and miss, sometimes it works, and sometimes it doesn't  Error:  An error occurred while installing the app: 500
Hi there, I have a search where I want to see where one date field is the same or starts before another but my search results only shows me events where both dates are the same, can you help? I am ... See more...
Hi there, I have a search where I want to see where one date field is the same or starts before another but my search results only shows me events where both dates are the same, can you help? I am trying to find events which contains an end date that is before the created date. The data isn't create so a typical date entry would be 12112022 index=UAT sourcetype="Test_Txt_data" | eval end_date_epoch = strptime(end_date,"%d%m%Y") | eval created_date_epoch = strptime(created_date,"%d%m%Y") | where end_date_epoch <= created_date_epoch | eval end_date = strftime(end_date_epoch, "%d/%m/%Y"), created_date = strftime(created_date_epoch, "%d/%m/%Y") | table proposal, created_date, end_date
Hi, I want to use 'AND' keyword either in startsWith or in endsWith. <<search>> | transaction startsWith="some text" AND "some other text" endswith="some text" AND "some other text" Is this possib... See more...
Hi, I want to use 'AND' keyword either in startsWith or in endsWith. <<search>> | transaction startsWith="some text" AND "some other text" endswith="some text" AND "some other text" Is this possible?  
Hi All, I am working on analyzing processing time among 10 devices and categorize all the evnets into 3 categories, including "Max", "Avg" and "PR99" (Which means its processing time in percent 99 i... See more...
Hi All, I am working on analyzing processing time among 10 devices and categorize all the evnets into 3 categories, including "Max", "Avg" and "PR99" (Which means its processing time in percent 99 in all events) for each device. Raw data: Category Processing time(sec) Device id Max 121 1 PR99 106 1 Avg 70 1 Max 117 2 PR99 106 2 Avg 71 2 Max 78 3 PR99 77 3 Avg 62 3 ... .... ...   I want to display the category into seperated panel only if the category is selected. Does any one have suggestion  on how to implement this on Splunk?  For example: if select "Max", "Avg" through some scroll bar Panel 1:  List "Max" only Category Processing time(sec) Device id Max 121 1 Max 117 2 Max 78 3 ... .... ... Panel 2: List "Avg" only Category Processing time(sec) Device id Avg 70 1 Avg 71 2 Avg 62 3 ... .... ...   Thank you. Jounman
hey, im trying to delete events that got into the system on a specific time range. i see the events when i use splunk time range picker    but when i try and use where to find those events wit... See more...
hey, im trying to delete events that got into the system on a specific time range. i see the events when i use splunk time range picker    but when i try and use where to find those events without time picker i can't find them and im too scared to just run delete query without specifying exactly what i want to delete.   iv'e also tried only one "where" clause with earliest and latest didn't worked too.   what am i doing wrong?
Hello. how to collects microsoft exchange 2019 audit logs to splunk
despite having a local\outputs.conf file properly populated with 6 Indexers one of our non clustered Search Heads does not show anything under Forward data as defined in the Web GUI any suggestions... See more...
despite having a local\outputs.conf file properly populated with 6 Indexers one of our non clustered Search Heads does not show anything under Forward data as defined in the Web GUI any suggestions where and how to check what is over writing this 
What is the difference between standard and transparent federated search type in splunk with examples or usecase?
Hi We index the accesses made on a filer. For each action on a file, events are generated and indexed in Splunk. The copy of a file does not directly generate a "copy" event but the "Event.Syst... See more...
Hi We index the accesses made on a filer. For each action on a file, events are generated and indexed in Splunk. The copy of a file does not directly generate a "copy" event but the "Event.System.EventName" field consecutively takes the three values "Open Object", "Get Object Attributes", "Read Object". This corresponds to three events in Splunk with no real common fields. How to build a query that would identify this consecutive sequence of events to alert us of a file copy ? Maybe the streamstat command could be used but I can't figure out how.
I'm working on an input.conf from a universal forwarder when I noticed the first stanza is missing a ] ex: [WinEventLog://Application instead of [WinEventLog://Application]  Since I do not have ... See more...
I'm working on an input.conf from a universal forwarder when I noticed the first stanza is missing a ] ex: [WinEventLog://Application instead of [WinEventLog://Application]  Since I do not have direct access to the UF to check the logs.  What effect, if any, would this have on log ingestion?   thanks
Hi. I would like to import the services defined in our CMDB as ITSI Services. It seems that you have to set a specific team when you do the import, and for my trial it created duplicate services, if... See more...
Hi. I would like to import the services defined in our CMDB as ITSI Services. It seems that you have to set a specific team when you do the import, and for my trial it created duplicate services, if the service was defined in another team, than the one I specified at load time. I could the create an import for each team, but it seems quite cumbersome, when I can get the team in the data I get from the CMDB, so I would really like to know, if anybody has tried and found a solution, where you are not hard defining the team, but use values or even the team id from ITSI to create the services in one go?   KIind regards las