All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hi from below events how to convert epoch time to a desired time zone want to convert LAST_START="1670326641", LAST_END="1670326670", NEXT_START="1670412600", into desired time zone based on TIMEZO... See more...
Hi from below events how to convert epoch time to a desired time zone want to convert LAST_START="1670326641", LAST_END="1670326670", NEXT_START="1670412600", into desired time zone based on TIMEZONE field
Hi Team, getting huges audit logs and wanted to blacklist in input.conf  . index=*linux* source="/var/log/audit/audit.log" type=proctitle  
Trying to develop an app that has a the 'cryptography' library as a dependancy. The built in Splunk Python interpreter refuses to be compatible with it (believe something to do with the cpython that ... See more...
Trying to develop an app that has a the 'cryptography' library as a dependancy. The built in Splunk Python interpreter refuses to be compatible with it (believe something to do with the cpython that it requires). I solved the issue by using a virtual environment within the app which is then called using subprocess.  The main thing I am concerned about it cross compatibility between different operating systems and architectures as this is env is created locally on my machine.  Would it be a better for this virtual environment be created using python on the target machine when the app is used for the first time / after setup page. If so would this pass the Splunk App inspection in order to be compatable with Splunkbase and Splunk Cloud?    
Hello, we would like to compare sources we ask to index and current state in Splunk (compare inputs.conf and current license usage) to see if we have missing data. I found this https://community.... See more...
Hello, we would like to compare sources we ask to index and current state in Splunk (compare inputs.conf and current license usage) to see if we have missing data. I found this https://community.splunk.com/t5/Getting-Data-In/How-can-I-get-a-list-of-data-inputs-using-the-REST-API/m-p/389012 to list all inputs however I would like also to get active associated target hosts (clients) found in serverclasses. Thanks.
We have existing UF 8.2.2 in all instance and managed by ansible, when we are trying upgrade to 9.0.1 ansible stuck which accepting license, if I run that command manually on the target host, it is w... See more...
We have existing UF 8.2.2 in all instance and managed by ansible, when we are trying upgrade to 9.0.1 ansible stuck which accepting license, if I run that command manually on the target host, it is working fine, I think ansible is waiting for response after ran the command on the target hots which has changed with version 9.0.1. task to accept license:     - name: Accept Splunk license and set up init script command: cmd: /opt/splunkforwarder/bin/splunk status --accept-license --answer-yes --no-prompt      
Hello, we found useful trick to have field values as new fields, for example :       | eval {status}=status | timechart count count(failed) as FAILED | eval failed_percent=FAILED/count*100 ... See more...
Hello, we found useful trick to have field values as new fields, for example :       | eval {status}=status | timechart count count(failed) as FAILED | eval failed_percent=FAILED/count*100       How do you call this? Is is documented? Thanks  
Hello Team, Search Head Connectivity Root Cause(s): The search head lost connection to the following peers:  If there are unstable peers, confirm that the timeout (connectionTimeout and auth... See more...
Hello Team, Search Head Connectivity Root Cause(s): The search head lost connection to the following peers:  If there are unstable peers, confirm that the timeout (connectionTimeout and authTokenConnectionTimeout) settings in distsearch.conf are at appropriate values. Unhealthy Instances: instances Generate Diag?More infoIf filing a support case, click here to generate a diag. Last 50 related messages: None could someone please explain exactly what was done to cause the issue?
In classic dashboard there is an option to drill down to search, that is very convenient the same is not available in dashboard studio. Need urgent help please!!!!!.   
I want to create alert to check on all indexes event count and alert the list of all indexes that have no events in the last 24 hours. I saw a post with the same problem, but it didn't help. How t... See more...
I want to create alert to check on all indexes event count and alert the list of all indexes that have no events in the last 24 hours. I saw a post with the same problem, but it didn't help. How to create an alert if index have no data in th... - Splunk Community.  The following search doesn't work for my purpose.  | tstats count where index=* by index | where count = 0  
Hi Team, Is there any way to determine the Operating system language before we ingest the logs in Splunk?  After ingesting the logs, will correlations work on servers with operating system language... See more...
Hi Team, Is there any way to determine the Operating system language before we ingest the logs in Splunk?  After ingesting the logs, will correlations work on servers with operating system languages other than English ?  Any alternate option to convert the language into English and get the output in the search head  
Hi Team, We have a requirement where we need to run script on remote server based on search condition from Splunk Example, from search results, found that for 10 servers, windows service is dow... See more...
Hi Team, We have a requirement where we need to run script on remote server based on search condition from Splunk Example, from search results, found that for 10 servers, windows service is down,  as a part of alert condition Splunk need to login into the remote server and start the service using script wanted to check can this be done?. any leads to related to recourses will be helpful     
So we're having this issue where all of our active directory events are coming back as having multiple duplicates of the same event. We had an issue with the Service accounts splunk used but all the ... See more...
So we're having this issue where all of our active directory events are coming back as having multiple duplicates of the same event. We had an issue with the Service accounts splunk used but all the domains we want to query can be queried now. Confirmed via ldaptestconnection. But this is specifically happening with searches relating to ldapfilter, below is the search we use, Note : the ldap_doamins.csv contains all the domains we have and what splunk so search. | inputlookup ldap_domains.csv WHERE enabled=1 | fields - enabled | ldapfilter search="(&(memberOf:1.2.840.113556.1.4.1941:=CN=Backup Operators,CN=Builtin,$baseDN$))" domain=$domain$ attrs="name,sAMAccountName,objectCategory,objectClass,objectSID" | tojson | eval _raw = replace(_raw,"^{","{\"query_type\":\"activedirectory:admin_groups\",\"taskid\":\"".now()."\",\"admin_group_dn\":\"CN=Backup Operators,CN=Builtin,".baseDN."\",") | eval _raw = replace(_raw,"\:\[\]",":\"\"") | foreach * [ | eval _raw=replace(_raw,"<<FIELD>>", lower("<<FIELD>>")) ] | fields _raw | collect `activedirectory_index` output_format=hec
Hello, the following search      index=index1 message_type=query NOT ([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip]) NOT dns_request_client_ip=127... See more...
Hello, the following search      index=index1 message_type=query NOT ([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip]) NOT dns_request_client_ip=127.0.0.1 |stats count by dns_request_client_ip     shows me 23300 matched events and shows me a table in statistics with those results.  but when I try to use tstats (in that case the datamodel Network_Resolution has all the data for index1) it  shows me 0 results, even tho when I only search the tstats datamodel with no other things like lookup etc. it gives me 5 million matches but doesn't show me anything in statistics.  also, in job inspector it shows me that the highlighted portion didn't result in any results and the only highlightet part is behind |tstats (in which nothing should be) and it says "NONE |tstats .... " why is this none there? my tstat is as follows:        |tstats count as count from datamodel=Network_Resolution where (message_type=query) by dns_request_client_ip     and then I try to combine it with the rest of the search as stated above via |search:        |search NOT ([|inputlookup lookup1 | fields ip_address |rename ip_address as dns_request_client_ip]) NOT dns_request_client_ip=127.0.0.1 |stats count by dns_request_client_ip       there must be something logically wrong with my approach, right?    thanks a lot for any help. 
I get troubleshoot following splunk.doc  but it s not working.  Anyone have any solutions.
Hi, I have a field in the logs like below       2022-12-07T08:40:14.253180536       How can I convert it to splunk time format? I need to eventually select this field in the table... See more...
Hi, I have a field in the logs like below       2022-12-07T08:40:14.253180536       How can I convert it to splunk time format? I need to eventually select this field in the table, so the conversion should work within stats
We've just upgraded to Splunk 9.0.2 and can see IOWAIT is alerting when logging onto the MASTER that the health is red even though CloudWatch is reporting everything is fine and no complaints from th... See more...
We've just upgraded to Splunk 9.0.2 and can see IOWAIT is alerting when logging onto the MASTER that the health is red even though CloudWatch is reporting everything is fine and no complaints from the users.  I've spoken to SLT and they are happy for this alert to be disabled. Any ideas?
Hi all, is there an existing add-on that I can use for getting HPE iLO data into splunk? I am planning on ingesting it with a universal forwarder from a central server used as a repository.  Th... See more...
Hi all, is there an existing add-on that I can use for getting HPE iLO data into splunk? I am planning on ingesting it with a universal forwarder from a central server used as a repository.  Thank you, O.  
Hi, Can we get the license usage summary by application name using API? I’ve tried the license usage with the license ID and account ID but getting the availability of the license as an output.  ... See more...
Hi, Can we get the license usage summary by application name using API? I’ve tried the license usage with the license ID and account ID but getting the availability of the license as an output.  GET /controller/licensing/v1/usage/license/{licenseId}  (http://<host>:<port>/controller/licensing/v1/usage/license/{licenseId} http://<host>:<port>/controller/licensing/v1/usage/account/{accountId}) These APIs are running well but not getting the output I’m looking for. I’m looking for the usage, like how much of the license is consumed in real-time.   I appreciate any help you can provide.
Hello, I noticed that Splunk automatically translates input labels based on the user's locale. Dashboards with English labels are translated to German when the user locale is de-DE. Here is an ex... See more...
Hello, I noticed that Splunk automatically translates input labels based on the user's locale. Dashboards with English labels are translated to German when the user locale is de-DE. Here is an example:     <form version="1.1"> <label>Test</label> <fieldset submitButton="false"> <input type="text" token="From"> <label>From</label> </input> <input type="text" token="To"> <label>To</label> </input> </fieldset> </form>     en-US: de-DE: Not only is the translation unwanted, the translation is also wrong. (In this context, "to" should be translated to "für" or "an".) Is it possible to disable this kind of behavior? I found two other posts. The solutions were 1) change each input field individually (https://community.splunk.com/t5/Dashboards-Visualizations/How-to-prevent-translation-of-labels-and-input-fields-in/m-p/537380) and 2) change the user locale to English (https://community.splunk.com/t5/Dashboards-Visualizations/How-to-avoid-translation-on-input-field-in-a-dashboard/td-p/477152). However, I would prefer a global setting to disable automatic translations.    
Hi Team,  Considering the image shared below:-  x1 is my x-axis and y1 is my y-axis.  I would like to interpolate values for x1, var1 & var2 and not for y1 as shown below: - @interpol... See more...
Hi Team,  Considering the image shared below:-  x1 is my x-axis and y1 is my y-axis.  I would like to interpolate values for x1, var1 & var2 and not for y1 as shown below: - @interpolation, @ scatterplot.   Any leads are welcome here