All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am using rex field to extract the field name and then inject the data so I can get only the desired fields but not able to do so. My Access logs:  server - - [date& time] "GET /google/page1/page... See more...
I am using rex field to extract the field name and then inject the data so I can get only the desired fields but not able to do so. My Access logs:  server - - [date& time] "GET /google/page1/page1a/633243463476/googlep1 HTTP/1.1" 200 350 85 My search query: <query> | rex field_=(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+) My Search query with lookup <query> | rex field=_raw "(?<SRC>\d+\.\d+\.\d+\.\d+).+\]\s\"(?<http_method>\w+)\s(?<serviceName>/[^/]+)(?<uri_path>[^?\s]+)\s(?<uri_query>\S+)\"\s(?<statusCode>\d+)\s(?<body_size>\d+)\s\s(?<response_time>\d+)" |search serviceName="/google" | lookup abc.csv uri_path OUTPUT serviceName apiName | search searviceName=* operationName=* I am using above query to lookup from csv file but I get all the api has same count and not able to get the stats or logs for only particular. Is there a way to match this and produce result with both uri_path and api_name? can anyone please help me on this? Eg: csv file looks like this and i am trying to match apiName and uri_path so the logs are getting properly. serviceName uri_path http_method apiName /google /page1/page1a/*/googlep1 post postusingRRR /google /page1/page1a/sada/*/googlep1 get getusingep2 /google /pag5/ggg/*/ooopp/ggplr delete deleteusing
I am using the following query to get the results  index=abc node=* | chart latest(state) as state by node | stats count by state | sort - state   Below is the column chart display of it.I w... See more...
I am using the following query to get the results  index=abc node=* | chart latest(state) as state by node | stats count by state | sort - state   Below is the column chart display of it.I want to display each state by a custom color    I tried using the below line in xml but its not changing <option name="charting.fieldColors">{"Allocated":0x333333,"DOWN":0xd93f3c,"IDLE":0xf58f39,"Minor":0xf7bc38,"Notice" :0xeeeeee,"Healthy":0x65a637}</option>
I have a question regarding KPI Threshold in Splunk ITSI. While using cloning action, all KPI thresholds created will inherit the Timezone attribute of the user that cloned it. Could any one give me ... See more...
I have a question regarding KPI Threshold in Splunk ITSI. While using cloning action, all KPI thresholds created will inherit the Timezone attribute of the user that cloned it. Could any one give me working example. Thanks in advance.
How do we relate  index=_audit action=search search=* user!=splunk-system-user provenance!=scheduler | table _time user search host total_run_time result_count | sort - _time'  query to determin... See more...
How do we relate  index=_audit action=search search=* user!=splunk-system-user provenance!=scheduler | table _time user search host total_run_time result_count | sort - _time'  query to determine the SVC usage of the results 
We're sending logs to SplunkCloud over port 514 using the following stanza in inputs.conf   [udp://514] index=syslog disabled=false sourcetype=syslog   This works great, however we are now se... See more...
We're sending logs to SplunkCloud over port 514 using the following stanza in inputs.conf   [udp://514] index=syslog disabled=false sourcetype=syslog   This works great, however we are now sending more than one type of log this way.  Can we declare multiple sourcetypes depending upon where the origin of the logs is?  For example: if they are from IP address A give it the "firewall" sourcetype and from IP address B give it the "crontab" sourcetype?    
Hi, I have table below then I need to grouping field and need to eval (+ )the value become below table Help please..
Hello Splunkers Need your help to get the desired result. Below is the sample query for reference. | makeresults | eval week_year="2022-48",group="ABC",old=64,new=78 | append [| makeresults ... See more...
Hello Splunkers Need your help to get the desired result. Below is the sample query for reference. | makeresults | eval week_year="2022-48",group="ABC",old=64,new=78 | append [| makeresults | eval week_year="2022-48",group="XYZ",old=35,new=15] | append [| makeresults | eval week_year="2022-49",group="XYZ",old=33,new=17] | append [| makeresults | eval week_year="2022-49",group="ABC",old=215,new=158] | fields - _time | eval target1=round((old/new)*0.17,3)*100,target2=round((old/new)*0.26,3)*100,final=round(old/new,3)*100 | table week_year group final target1 target2 |chart last(final) as final values(target1) as target1 values(target2) as target2 over group by week_year But since values() is used we are getting target fields for each week. But expected outcome is to get one each line for target1 & target2.     Please help me to get the visualization in correct format. Thanks in advance!!  
I am looking at building a homelab for splunk. Any suggestions for minimum HW? I can't really do 8 cores / 64 GiB. 6 cores / 32 GiB would be feasible
My count field is right justified and so far from the description. Is it possible to either left justify the content or right justify the count field in a table?
Hi, I need to know about the server visibility license in Appd ^Edited by @Ryan.Paredez for formatting and Searchability 
Hello    I have the problem of 404 error when I move to Splunk support portal from splunk.com. How do I fix that?
Hi, My Company (Länsförsäkringar AB) in Sweden use Splunk and my Team use Universal Forwarder Agent. I wonder if there is possibillity to Subscribe to get Info-mail as soon New Version of Universal... See more...
Hi, My Company (Länsförsäkringar AB) in Sweden use Splunk and my Team use Universal Forwarder Agent. I wonder if there is possibillity to Subscribe to get Info-mail as soon New Version of Universal Forwarder Agent is released? (Windows version) Regards //Slobodan Mitrasinovic, +46 768 592717
Why do I get the following messages in splunkd.log after installing Splunk Universal Forwarder in a GCP instance? 12-16-2022 10:49:12.021 +0000 WARN AwsSDK [1903 ExecProcessor] - ClientConfiguratio... See more...
Why do I get the following messages in splunkd.log after installing Splunk Universal Forwarder in a GCP instance? 12-16-2022 10:49:12.021 +0000 WARN AwsSDK [1903 ExecProcessor] - ClientConfiguration Retry Strategy will use the default max attempts. 12-16-2022 10:49:12.021 +0000 WARN AwsSDK [1903 ExecProcessor] - ClientConfiguration Retry Strategy will use the default max attempts. 12-16-2022 10:49:12.023 +0000 ERROR AwsSDK [1903 ExecProcessor] - EC2MetadataClient Http request to retrieve credentials failed with error code 404 12-16-2022 10:49:12.023 +0000 ERROR AwsSDK [1903 ExecProcessor] - EC2MetadataClient Can not retrive resource from http://169.254.169.254/latest/meta-data/placement/availability-zone  
Hi All, I'm to trying to set an email alert notification by using splunk. In the alert Description, I just want to mention only particular field values that search returns. I thought of using $result... See more...
Hi All, I'm to trying to set an email alert notification by using splunk. In the alert Description, I just want to mention only particular field values that search returns. I thought of using $result.fieldname$ but, As splunk says it only returns field first row value in the description. For Example: Field name:    values numbers        1,2,3,4,5 search: index=""|table numbers alert Description: The number values are: $result.numbers$ O/P: The number values are: 1 O/p Expected: The number values are: 1,2,3,4,5
A new disk was attached to a windows server 2012. Restarted machine agent. Still the new disk not showing up in AppD under disks. Please assist. 
Hello,   i'm experiencing an issue with the splunk TA for O365 and in particular with the Sharepoint Management Activity Logs. The issue is this: 1) 10:00 AM i activate the input 2) 10:01 A... See more...
Hello,   i'm experiencing an issue with the splunk TA for O365 and in particular with the Sharepoint Management Activity Logs. The issue is this: 1) 10:00 AM i activate the input 2) 10:01 AM Splunk starts to collect 10:00 AM events 3) 10:05 AM Splunk continues to collect Sharepoint logs but going behind in time! (9:59 AM, 9:58 AM and so on) 4) 11:00 AM Splunk is still collecting logs in the past but the temporary token expires and the input is closed and reopened 5) 11:00 AM Splunk reopen the input 6) 11:01 AM Splunk starts to collect 11:00 AM events 7) JUMP to step 3 but 1 hour later   May you know how to not ask splunk to go behind and starts to collect in time?   Regards   Marco
Hi, I need to connect to splunk using Databricks and then Read tables from Splunk in Databricks. How do I do it?. I prefer help with connection first. Thanks & Regards  
Hi All, i have a field "last_seen" which shows date in the below format .    My requirement is to compare today's date against this last_seen date and show only those events which is 3 days before to... See more...
Hi All, i have a field "last_seen" which shows date in the below format .    My requirement is to compare today's date against this last_seen date and show only those events which is 3 days before today's date last_seen 2022-12-15T19:46:55Z 2022-12-14T19:46:55Z 2022-12-11T19:46:55Z   I thought of calculating first a field that shows me the date   3 days before this last_seen value and then further doing a |where condition to show me the results.  I tried the below calculation  but deltaDays is  coming out empty as splunk shows it blank . So the formula of now()-last_seen isn't working.    Reference: https://community.splunk.com/t5/Splunk-Search/Display-events-when-current-date-is-gt-30-days-from-expiration/m-p/249876         | eval deltaDays = (now() - last_seen)/86400 | where deltaDays >=3 | table last_seen deltaDays         Expected results ( given todays date is Dec 16).  Show results from 3 days before last_seen 2022-12-11T19:46:55Z
Reference post  https://community.splunk.com/t5/Splunk-Search/How-to-align-events-returned-by-two-separate-searches-in-a-table/m-p/475647#M133670  Hi Team,  I have this similar use from above p... See more...
Reference post  https://community.splunk.com/t5/Splunk-Search/How-to-align-events-returned-by-two-separate-searches-in-a-table/m-p/475647#M133670  Hi Team,  I have this similar use from above post case but cannot get the provided solution to work.  Following is my query: index=_audit action=alert_fired | lookup splunkalerts "Alert Name" as ss_name OUTPUT "CMDB Application Name" AS Application | search Application="Test" | stats count(triggered_alerts) as triggered_alerts by Application ss_name severity | rename ss_name as "Alert Name" severity as "Severity" | appendcols [ | rest /servicesNS/-/-/saved/searches timeout=120 | lookup splunkalerts "Alert Name" AS title OUTPUT "CMDB Application Name" AS Application "Pipeline Alert" "PROD?" | search Application="Test" | rename eai:acl.owner as owner title as "Alert Name" | fields owner "Alert Name" Application,"Pipeline Alert","PROD?",alert.track,disabled,search,action.email.to,cron_schedule] | table Application,"Alert Name",Severity,triggered_alerts,"PROD?","Pipeline Alert",alert.track,disabled,search,action.email.to,cron_schedule The issue I am having with the above query is that the triggered_alerts count returned from the outer query is not aligned with the search field value returned from the sub search after the appendcols.
I Got "WARNING web interface does not seem to be available" message when I started Splunk. Although I got the above message I can login to Splunk via webpage and run search as expected. Is there an... See more...
I Got "WARNING web interface does not seem to be available" message when I started Splunk. Although I got the above message I can login to Splunk via webpage and run search as expected. Is there anything I need to do to avoid this message.