All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

EPP: {"syslog_type":"AGENT_EVENT", "syslog_data":{"log_string_args":null,"computer_name":"F0-P-N0017","login_id":"POO10","client_time":{"$date ":"2022-10-01T04:31:03.752Z"},"log_string_id":"EPPAGENT_... See more...
EPP: {"syslog_type":"AGENT_EVENT", "syslog_data":{"log_string_args":null,"computer_name":"F0-P-N0017","login_id":"POO10","client_time":{"$date ":"2022-10-01T04:31:03.752Z"},"log_string_id":"EPPAGENT_LOGID_11002","user_name":"ppart","data_uuid":"35a5e74d-c4ad-4f25-ba9f-830c6-WINDOWS", "유형":"11000"}} 필드 추출이 잘 안되는데 어떻게 해야 하나요?
Hi, My client has encountered the following issue below and I was just wondering if anyone has encountered something similar? - Encountered the following error eventtype "xxxxxxxxx" does not exis... See more...
Hi, My client has encountered the following issue below and I was just wondering if anyone has encountered something similar? - Encountered the following error eventtype "xxxxxxxxx" does not exist or is disabled when running a search using a specific index/sourcetype. They have mentioned that the affected eventtype has the proper permissions. - Search is able to return results for a shorter timeframe (ie 3 months) as compared to a longer timeframe (1 year). Thank you in advance for any information given Mikhael
Hi, I recently created a nicely formatted dashboard which has its tables colour coded according to search results. However, any exports I try result in none of the formatting being exported - just pl... See more...
Hi, I recently created a nicely formatted dashboard which has its tables colour coded according to search results. However, any exports I try result in none of the formatting being exported - just plain white tables without any colour or formatting done which I do require in some way for presentation. Is there a way to keep that xml in the export?
We have this script in the Splunk_TA_windows_v8 app directory named nt6-repl-stat.ps1. I'm seeing a lot of errors in our _internal index around it. When I piece the errors together, I get: . : The ... See more...
We have this script in the Splunk_TA_windows_v8 app directory named nt6-repl-stat.ps1. I'm seeing a lot of errors in our _internal index around it. When I piece the errors together, I get: . : The term 'C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\bin\powershell\nt6-repl-stat.ps1' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:3 + . 'C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windo ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (C:\Program File...6-repl-stat.ps1:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException What am I missing here?
I have a index which would return logs. I would like to know how much storage is used for logs in a specific time range. How could I write the query or do this from UI? Thanks.
Tenable.io is alerting on all my splunk universal forwarder client hosts (Debian & Ubuntu) It is seeing port 8089 on these hosts (probably the management port??) and throwing this error: The follow... See more...
Tenable.io is alerting on all my splunk universal forwarder client hosts (Debian & Ubuntu) It is seeing port 8089 on these hosts (probably the management port??) and throwing this error: The following certificate was found at the top of the certificate chain sent by the remote host, but is self-signed and was not found in the list of known certificate authorities : |-Subject : C=US/ST=CA/L=San Francisco/O=Splunk/CN=SplunkCommonCA/E=support@splunk.com I dont need to encypt splunk commuications from universal forwarder to splunk server, I just want Tenable to see a signed cert on this port so it doesnt complain. Where is this file and can I replace it with my fullchain.pem from Letsencrypt that is already elsewhere on this host? thanks, Matt
We have a perpetual license and are currently running an on prem set up of version 7 (windows) on several servers. We want to create a new splunk environment in our private cloud. Can i download th... See more...
We have a perpetual license and are currently running an on prem set up of version 7 (windows) on several servers. We want to create a new splunk environment in our private cloud. Can i download the free trial and then copy my license to that ? Would it be an issue with that being 9 Can i just copy the license file from our License master in our current environment and move it over?
I have tried to create a search that uses a csv file for inputting a listing of hosts that I want to search for a particular EventID and if I find the ID we will create a ticket. I can list out the i... See more...
I have tried to create a search that uses a csv file for inputting a listing of hosts that I want to search for a particular EventID and if I find the ID we will create a ticket. I can list out the information (which is just a list of server/hosts) but I can't apply it to a search.
Need some help with deploying and merging an app. We have a deployment server that store apps in following folders:~/etc/deployment-apps/all This is where we have all app going out to all server.~/... See more...
Need some help with deploying and merging an app. We have a deployment server that store apps in following folders:~/etc/deployment-apps/all This is where we have all app going out to all server.~/etc/deployment-apps/spesial This is custom config for one server. in the all folder we have an app like this: test.app/default/app.conf with the following content; [ui] is_visible = false in the spesial folder we have an app like this: test.app/local/app.conf with the following content [ui] is_visible = true Serverclass.conf looks like this: # Send all app to all servers [serverClass:send.to.all.servers] repositoryLocation = $SPLUNK_HOME/deployment-apps/all restartSplunkd = true restartIfNeeded = true issueReload = true whitelist.0 = * [serverClass:send.to.all.servers:app:*] # Send this apps only to server Mars1 [serverClass:send.to.mars1.servers] repositoryLocation = $SPLUNK_HOME/deployment-apps/spesial restartSplunkd = true restartIfNeeded = true issueReload = true whitelist.0 = Mars1 [serverClass:send.to.mars1.servers:app:*] Problem is that only one test.app are sent out. I would like that both are sent out and merged inn to one app with both the local and default folder (local will take presidiene) If I remove one of the apps, the other will be sendt out but not both. How can I accomplish this (without using external script etc)? Have read trough the serverclass.conf file without seeing any easy way to solve this.
I am using a single value in a dashboard, it is only showing a date, but I cannot get the date to format the way want it on the dashboard. My search string is: index=conmon earliest=11/23/2022:00:00:... See more...
I am using a single value in a dashboard, it is only showing a date, but I cannot get the date to format the way want it on the dashboard. My search string is: index=conmon earliest=11/23/2022:00:00:00 dedup LASTMODIFIED eval tst = strftime(strptime(LASTMODIFIED, %Y-%m-%d), %Y-%m-%d) fields tst want 11-23-2022 , but continue to get 2022-11-23T13:35:53-05:00 The search on its own brings back the value correctly, but not on the dashboard. Any help would b greatly appreciated. Bill K
What is the correct method to backup/restore Splunk Enterprise? I believe I can backup (Linux) using this command: tar czvf /opt/$HOSTNAME.tgz /opt/splunk/etc/
I'm trying to get sparklines with the stats command and I'm getting straight lines in Sparkline instead of dips and rise.
Whenever anyone updates test.csv Lookup table I want to get an alert. Note: The update is done via Lookup editor and *Save Lookup* button is clicked.
Hello Splunk Community. I am trying to use Splunk to search for the serial number of the installed hard drive(s). When I run a search for a particular computer, is there a field that gets populat... See more...
Hello Splunk Community. I am trying to use Splunk to search for the serial number of the installed hard drive(s). When I run a search for a particular computer, is there a field that gets populated that will have the hard drive serial numbers? To complicate the issue, I'm looking at servers as well as workstations, most of which have multiple hard drives installed. Is there a better way to get the information? We are using Splunk Enterprise v8.2.2
We would like to get some help in creating a policy or rule to manually inject the ADRUM script in AWS load balancer (ALB). Suggestions will be help us to move forward. Thank you. Regards, Vijay M.
We are running a SHC with Splunk Enterprise OnPrem 9.0.1 and noticed that the concurrent searches in one of the nodes is way higher than the rest (3 times aprox.) even though the scheduler delegation... See more...
We are running a SHC with Splunk Enterprise OnPrem 9.0.1 and noticed that the concurrent searches in one of the nodes is way higher than the rest (3 times aprox.) even though the scheduler delegation shows its delegating evenly across the nodes. Most of the scheduled searches are from an app that runs dbx queries to keep updated some lookups, these are scheduled to run a few times a week but appear to be running constantly in the scheduler. These concurrent searches run constantly even after a restart of the node. It doesnt happen in a single instance with the same apps, so we think it is a clustering issue. How can we troubleshoot/debug this behaviour?
I enabled the schedule PDF delivery for my dashboard, and it generated the PDF attachment, but in that attachment its now showing the labels for bar chart on axis ------------------------------... See more...
I enabled the schedule PDF delivery for my dashboard, and it generated the PDF attachment, but in that attachment its now showing the labels for bar chart on axis ----------------------------------------------- but i need the values like this, but iam not getting values in the attachment Please post the working snippet
we are upgrading our splunk agents to new version 9.0.2 but we are not sure how we can upgrade agents on citrix or system image server, can someone please help with steps or scripts. we have script t... See more...
we are upgrading our splunk agents to new version 9.0.2 but we are not sure how we can upgrade agents on citrix or system image server, can someone please help with steps or scripts. we have script to upgrade the version, i just need the info for system image servers. any help would be appreciate.
Hi, I would like to monitor a specific index and get the following information: source - name oldest searchable event by source. I understand the basics of dbinspect that it will display the st... See more...
Hi, I would like to monitor a specific index and get the following information: source - name oldest searchable event by source. I understand the basics of dbinspect that it will display the startEpoch values and sort it for the earliest value and I can figure out the oldest event using this field and sourceCount only, however I need to identify the source "name" so I can pair the 2: source name and oldest searchable event OR if there is another command I can use instead of dbinspect that will provide the needed information. Doing stats command in this use case will not work as I will be looking for events that are 1 year old and I favor the dbinspect search time. Please advise. Thanks and regards.
Im seeing errors whereby powershell inputs just stop for some random reason. The only error I get is the following failed with exception=The running command stopped because the preference variable ... See more...
Im seeing errors whereby powershell inputs just stop for some random reason. The only error I get is the following failed with exception=The running command stopped because the preference variable "ErrorActionPreference" or common parameter is set to Stop: Exception calling "Clear" with "0" argument(s): "Index was outside the bounds of the array." A simple restart of the SplunkForwardingService on the system makes it work again so theres nothing wrong with the script. Anyone got any ideas why its doing this? its not just one script or one particular system. Its 2 scripts across 2 different scripts. Same error though