All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a splunk dashboard with dropdown as different client names : A,B,C,ALL. There will be logs for each client and then I need to search and print the count of selected client from logs, I am abl... See more...
I have a splunk dashboard with dropdown as different client names : A,B,C,ALL. There will be logs for each client and then I need to search and print the count of selected client from logs, I am able to do that if a user selects A ,B or C, but there is no such client as ALL, if a user selects all, I want to see all logs for A,B,C and sum them and show them in dashboard. A log look like:     Client Map Details : {A=123, B=245, C=456}     If a user selects A, we show 123 and plot on graph If a user selects B, we show 245 and plot on graph If a user selects C, we show 456 and plot on graph Query for above:   index=temp sourcetype="xyz" "Client Map Details : " "A" | rex field=_raw "A=(?<count>\d+)" | table _time count     But how can I change query based on user input "ALL" and run another splunk query that will see all such lines , and iterate over map and sum each value, 123+456+245 and then give a value to plot? How do we change slunk query based on user input from dashboard ?
I am looking for information for a project, my need is to establish a non-productive environment. I am looking for information on licenses that will allow me to do that, Sadly seems that test/dev and... See more...
I am looking for information for a project, my need is to establish a non-productive environment. I am looking for information on licenses that will allow me to do that, Sadly seems that test/dev and developer could not satisfy the needs. any suggestions?
Hi All, I am trying to export events in JSON format, and I am able to do it, and getting events like the one below.   {"preview":false,"result":{"_raw":"{\"tomLogs\":[{\"component\":\"tom\"}]}}... See more...
Hi All, I am trying to export events in JSON format, and I am able to do it, and getting events like the one below.   {"preview":false,"result":{"_raw":"{\"tomLogs\":[{\"component\":\"tom\"}]}}} {"preview":false,"result":{"_raw":"{\"tomLogs\":[{\"component\":\"tom\"}]}}} {"preview":false,"result":{"_raw":"{\"tomLogs\":[{\"component\":\"tom\"}]}}}   But the My expectation of having these events in an array with commas separated like the below format.   [ {"preview":false,"result":{"_raw":"{\"tomLogs\":[{\"component\":\"tom\"}]}}}, {"preview":false,"result":{"_raw":"{\"tomLogs\":[{\"component\":\"tom\"}]}}}, {"preview":false,"result":{"_raw":"{\"tomLogs\":[{\"component\":\"tom\"}]}}} ]   Please provide some references that can help to export events in the expected format.
Hi Team,  How to implement the base search functionality to improve the loading time of Splunk dashboard. I have multiple panels with many server types. Each panel has one type of server. Every tim... See more...
Hi Team,  How to implement the base search functionality to improve the loading time of Splunk dashboard. I have multiple panels with many server types. Each panel has one type of server. Every time when am changing the time filter, taking so much time to load the panels with each server traffic data.  So how I can improve this loading time by implementing the base search functionality? Please suggest on this.
I got a free trial of the cloud platform on 12th Dec. Now that I am trying to access the account it says your account has been blocked out. Please try again later or contact the administrator. This h... See more...
I got a free trial of the cloud platform on 12th Dec. Now that I am trying to access the account it says your account has been blocked out. Please try again later or contact the administrator. This happened with me when I tried with different email addresses.  Could you please help me with this?
I want to cut data that goes up to the fourth symbol "|". How can i do it through | rex? Example data: 2022-12-15 15:27:38.073 - INFO | TID = 1878892572955613 | reactor-http-epoll-36 | x.x.x.x.xxxx... See more...
I want to cut data that goes up to the fourth symbol "|". How can i do it through | rex? Example data: 2022-12-15 15:27:38.073 - INFO | TID = 1878892572955613 | reactor-http-epoll-36 | x.x.x.x.xxxxx.xxx.xxxClient | Response from url=https://xxxxxxxx:8081/xxxx xxxx xxxxxxxx 2022-12-15 15:27:38.082 - INFO | TID = | http-xxx-8080-xxxx-100 | r.n.m.d.d.l.i.util.InfoLoggingUtil | xxxMethod xxxxxx xxxxx {Parsed: bytes=276 | xxxxxxxxMethod.xxxxxxxxMethodData="eyJ0aHJlZURTU2VydmVyVHJhbnNJRCI6ImY3YzIwZTI4LTAzMTctNDFmYS1hZTU5LTkyMzdkZmY4YmNjZCIsInRocmVlRFNNZXRob2ROb3RpZmljYXRpb25VUkwiOiJodHRwczovL3BheW1lbnRjYXJkLnlvb21vbmV5LnJ1OjQ0My8zZHMvZmluZ2VycHJpbnQvbm90aWZpY2F0aW9uLzI3OS9ZR3JmQ21pUS1MdUg1cTFHX2xQTzNLNGFHTzhaLi4wMDIuMjAyMjEyIn0=" | xxxxxxxMethod.param=""} I want:  Response from url=https://xxxxxxxx:8081/xxxx xxxx xxxxxxxx  xxxxxxxxMethod.xxxxxxxxMethodData="eyJ0aHJlZURTU2VydmVyVHJhbnNJRCI6ImY3YzIwZTI4LTAzMTctNDFmYS1hZTU5LTkyMzdkZmY4YmNjZCIsInRocmVlRFNNZXRob2ROb3RpZmljYXRpb25VUkwiOiJodHRwczovL3BheW1lbnRjYXJkLnlvb21vbmV5LnJ1OjQ0My8zZHMvZmluZ2VycHJpbnQvbm90aWZpY2F0aW9uLzI3OS9ZR3JmQ21pUS1MdUg1cTFHX2xQTzNLNGFHTzhaLi4wMDIuMjAyMjEyIn0=" | xxxxxxxMethod.param=""}
Hi Splunk Community, I am interested in parsing Splunk searches and I am hoping that somebody here can point me to an existing grammar of the search language that can be used with ANTLR4.  
Am facing an issue when I connect Aws trusted advisor to Splunk Extention (AWS trusted advisor aggregator) I am adding AWS credentials as input as Splunk AWS trusted advisor aggregator is not givin... See more...
Am facing an issue when I connect Aws trusted advisor to Splunk Extention (AWS trusted advisor aggregator) I am adding AWS credentials as input as Splunk AWS trusted advisor aggregator is not giving any output. Is it possible for Splunk to integrate with AWS trusted advisor?  
Hi all, My lead give some task .To create a table, we have lot of source type ... source type have the different states which means up and down.the source type is up we get one log msg , suppose so... See more...
Hi all, My lead give some task .To create a table, we have lot of source type ... source type have the different states which means up and down.the source type is up we get one log msg , suppose source type is down we get log each 5min once.....in one day we have more than 1also posible...now how I take the first down msg after up 
Hi Team, We are not able to see any custom created add-on using Add-on builder in Splunk HF. What is the issue?, how we can resolve this?
Gudde Muergen! I'm quite new to Splunk, so I'm having difficulties figuring out how to do this search properly. Here's a small snippet of events: mc1_date mc1_time mc1_system mc1_c... See more...
Gudde Muergen! I'm quite new to Splunk, so I'm having difficulties figuring out how to do this search properly. Here's a small snippet of events: mc1_date mc1_time mc1_system mc1_catalog mc1_adds mc1_updates mc1_gets mc1_getupd mc1_deletes 15.12.2022 08:05:05 SYSS1 CATALOG.MASTER.SYSS1 0 0 5081 0 0 14.12.2022 08:05:16 SYSS1 CATALOG.MASTER.SYSS1 0 0 5012 0 0 13.12.2022 10:05:12 SYSS1 CATALOG.MASTER.SYSS1 0 0 6719 0 0 12.12.2022 08:05:12 SYSS1 CATALOG.MASTER.SYSS1 0 0 5051 0 0 11.12.2022 08:05:03 SYSS1 CATALOG.MASTER.SYSS1 0 0 5008 0 0 10.12.2022 08:05:08 SYSS1 CATALOG.MASTER.SYSS1 0 0 5012 0 0 09.12.2022 14:05:16 SYSS1 CATALOG.MASTER.SYSS1 0 0 11387 0 0   The table above contains the max daily mc1_gets values for CATALOG.MASTER.SYSS1 on SYSS1 from the last 7 days. The whole sourcetype contains hourly data with multiple systems and multiple catalogs per system. What I need is a way to get, per catalog, per system, the standard deviation of the daily max values of mc1_gets over a span of 7 days (or more). The output data for the table above should look something like this in the end: mc1_system mc1_catalog mc1_gets SYSS1 CATALOG.MASTER.SYSS1 2380.05   Any help would be much appreciated! Mat beschte Gréiss, Duncan Hagen
Hi All,    Can anyone help me to get the query for short lived account with the condition of user create and delete the account on active directory within 10 minutes… I don’t need the logs of use... See more...
Hi All,    Can anyone help me to get the query for short lived account with the condition of user create and delete the account on active directory within 10 minutes… I don’t need the logs of user creation and deletion Thanks in advance.  
I performing the chart command for the below kind of table.    Command : [|Chart  values(course) as course  over ID by status]     Received Output as BELOW:      Expected Ou... See more...
I performing the chart command for the below kind of table.    Command : [|Chart  values(course) as course  over ID by status]     Received Output as BELOW:      Expected Output :  Kindly help to resolve this . I have tried |MVExpand  status also . . But it is picking only the first value and providing wrong output .    
Hello there! I am working on a test environment where I only have one Splunk instance. I have succeeded to have a secure Splunk web with ssl.  I have the following problem:   Here are my c... See more...
Hello there! I am working on a test environment where I only have one Splunk instance. I have succeeded to have a secure Splunk web with ssl.  I have the following problem:   Here are my config files: web.conf [settings] enableSplunkWebSSL = true privKeyPath = <path to key> serverCert = <path to certificate>   Server.conf [sslConfig] sslPassword = password sslVerifyServerCert = True sslVerifyServerName = True serverCert = <path to certificate> cliVerifyServerName = true sslRootCAPath = <path to CA certificate> [kvstore] serverCert = <path to certificate> sslPassword = password sslVerifyServerCert = True sslVerifyServerName = True [pythonSslClientConfig] sslVerifyServerCert = true sslVerifyServerName = true   splunk-launch.conf PYTHONHTTPSVERIFY = 1 SPLUNK_FIPS=1   I know that the configuration for securing the environment with TLS has changed since the 9.0 version of Splunk enterprise. My CLI doesn't display any warning or error. I have followed everything suggested in these links:  Security updates - Splunk Documentation Configure TLS certificate host name validation - Splunk Documentation Configure Splunk Web to use TLS certificates - Splunk Documentation   Any help would be appreciated ! Regards
Hi, I am trying to upload data to Splunk with the help of a python script. I am getting a 401(unauthorized) error on running the code. But I provided the valid user credentials which I am using for l... See more...
Hi, I am trying to upload data to Splunk with the help of a python script. I am getting a 401(unauthorized) error on running the code. But I provided the valid user credentials which I am using for logging into Splunk Enterprise. Can you help in figuring out the reason for this error? Here is a copy of the error occurred.   Traceback (most recent call last): File "E:\", line 912, in login response = self.http.post( File "E:\", line 1273, in post return self.request(url, message) File "E:\", line 1302, in request raise HTTPError(response) splunklib.binding.HTTPError: HTTP 401 Unauthorized -- Login failed During handling of the above exception, another exception occurred: Traceback (most recent call last): File "E:\", line 263, in <module> server = splunklib.client.connect(host=ARGS.splunk, username='', password='') File "E:\", line 345, in connect s.login() File "E:\", line 925, in login raise AuthenticationError("Login failed.", he) splunklib.binding.AuthenticationError: Login failed.
メインサーチのイベントの_timeをサブサーチに渡したいのですが、上手くいきません。 何か方法はありますでしょうか。   index=event_data |eval earlytime=_time-60 latesttime=_time+60 |fields earlytime,latesttime [ |search index=event_data2 earliest=ear... See more...
メインサーチのイベントの_timeをサブサーチに渡したいのですが、上手くいきません。 何か方法はありますでしょうか。   index=event_data |eval earlytime=_time-60 latesttime=_time+60 |fields earlytime,latesttime [ |search index=event_data2 earliest=earlytime latest=latesttime |return event_host,event_user ] |table event_host,event_user   ご助力お願いします。
I am moving Splunk 6.6.1 to anther empty server. Because I cannot find Splunk 6.6.1 install package I moved splunk home directly to the new server. I edited /opt/splunk/etc/system/local/web.conf an... See more...
I am moving Splunk 6.6.1 to anther empty server. Because I cannot find Splunk 6.6.1 install package I moved splunk home directly to the new server. I edited /opt/splunk/etc/system/local/web.conf and inputs.conf using new host name. I also edited /etc/hosts make it like 127.0.0.1 new host name localhost. And when I start splunk I got below mesages: ------- Checking prerequisites... Checking http port [80]: open Checking mgmt port [8089]:open Checking appserver port [127.0.0.1:8065]: open Checking kvstore port [8191]: open Checking configuration... Done. Checking critical directories... Done Checking indexes...      Validated: XXXX,YYYY Done Checking filesystem compatibility... Done Checking conf files for problems... Done Checking default conf files and edits... Validating installed files against hashes from '/opt/splunk/splunk-6.6.1-aeae3fe0c5af-linux-2.6-x86_64-manifest' All installed file intact. Done All preliminary checks passed. Starting splunk server daemon (splunkd)... Done Waiting for web server at https://127.0.0.1:80 to be available..  ← This never become available. ------- What did I miss here? I already confiremed related post in the commnity and get no luck. Please help me with this error. Any help will be very appreciated.
Hi Team, Environment 1 - Search Head, 2-Indexers, 1 - Deployment Server, 1 - Heavy Forwarder, 1 -Cluster Master Problem Statement 1)I am unable to retrieve events when searching with index=* ... See more...
Hi Team, Environment 1 - Search Head, 2-Indexers, 1 - Deployment Server, 1 - Heavy Forwarder, 1 -Cluster Master Problem Statement 1)I am unable to retrieve events when searching with index=*    2) When checked with connectives all were connected (SH --> Indexers --> CM --> HF --> DS) When checked with internal index showing 401 client is not authenticated. When checked from backend there is no error showing in splunkd.log    
We have already dashboard in splunk cloud platform. I want to trigger external script from dashboard panel. Once I click the submit button, script should be executed and should display the output in ... See more...
We have already dashboard in splunk cloud platform. I want to trigger external script from dashboard panel. Once I click the submit button, script should be executed and should display the output in dashboard panel. It is to automate some day-to-day activities to stop manual interventions. Ex. if dashboard panel shows any application error,then we should restart the application by external script. Please let me know, can we do this from splunk dashboard.  
Hi  When i'm searching the top users who logged into a host, I'm getting event data along with the user when i'm using pipe. ex: sourcetype="hostname" "authentication success" | top limit=50 User... See more...
Hi  When i'm searching the top users who logged into a host, I'm getting event data along with the user when i'm using pipe. ex: sourcetype="hostname" "authentication success" | top limit=50 User   Can someone help with this issue?