All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

How to fix Dashboard panels' that appear overlapping and offset?

by in Dashboards & Visualizations
‎11-27-2022 11:47 AM
‎11-27-2022 11:47 AM
Hi, I have a dashboard where one row has the panels appearing overlapping: This is the current HTML code for this row:   How can I fix this? Thanks as always!
Labels

How to Forward Splunk Alerts to external syslog server?

by in Alerting
‎11-27-2022 08:39 AM
‎11-27-2022 08:39 AM
I have a unique requirement to forward Splunk alerts to external syslog server. I have only seen use cases of forwarding data from Splunk heavy forwarder to syslog which is straightforward. However o... See more...
I have a unique requirement to forward Splunk alerts to external syslog server. I have only seen use cases of forwarding data from Splunk heavy forwarder to syslog which is straightforward. However our use case is such that Splunk should forward alerts to syslog server anytime alert is triggered.  I used some syslog Mod alert from splunkbase but none worked. Any suggestions
Labels

How to display a table of users with visits to multiple different URLs from proxy logs?

by in Splunk Search
‎11-27-2022 06:23 AM
‎11-27-2022 06:23 AM
I have fields for user and URL parsed into splunk from a proxy log and am trying to collate a table which displays me deduplicated users which have visited at least two of four or five URLs. E.G: us... See more...
I have fields for user and URL parsed into splunk from a proxy log and am trying to collate a table which displays me deduplicated users which have visited at least two of four or five URLs. E.G: user1 - URL1, URL2, URL3 user 2 - URL2, URL5 etc... What would be the best way of accomplishing this? I am not sure if I should be trying to transform or just format or something else entirely.
Labels

Does rex have an impact on my search performance?

by in Splunk Search
‎11-27-2022 02:51 AM
‎11-27-2022 02:51 AM
Hi I have couple of rex on my search query that not use anywhere. now question is does it have negative impact on my performance?   Any idea? Thanks

What is the quickest way to find 100 max values of "Q" on huge log file?

by in Splunk Search
‎11-27-2022 02:43 AM
‎11-27-2022 02:43 AM
Hi What is the quickest way to find 100 max values of "Q" on huge log file?   here is my query: index="myindex" |  rex "Q\[(?<Q>\d+) | stats max(Q)   here is the log: 13:58:34.999  Q[16... See more...
Hi What is the quickest way to find 100 max values of "Q" on huge log file?   here is my query: index="myindex" |  rex "Q\[(?<Q>\d+) | stats max(Q)   here is the log: 13:58:34.999  Q[16]   Any idea? Thanks
Labels

How to get alert when any input from TA stops working?

by in Alerting
‎11-26-2022 10:30 PM
‎11-26-2022 10:30 PM
Noob question, can someone pls assist how to get alert when any of the inputs under any TA (Add-on) stops sending logs for last 24 h ?   Lets take Splunk Add-on for AWS as an example.  I have  around... See more...
Noob question, can someone pls assist how to get alert when any of the inputs under any TA (Add-on) stops sending logs for last 24 h ?   Lets take Splunk Add-on for AWS as an example.  I have  around 60 inputs configured.  How do i write a search that can alert when either of these 60 inputs stop working ?  if i do a "index=aws" , it shows me various sources and sourcetypes but there isn't any field that has names of these Inputs . We have run into issues that we had to manually enable/disable inputs quite frequently when they stop logging.  
Labels

Increasing UI timeout in LDAP Group configuration

by in Splunk Search
‎11-26-2022 05:54 PM
‎11-26-2022 05:54 PM
I am trying to increase the "Network Socket timeout" in the LDAP group configuration.  I tried modifying parameters as mentioned in this vlog: https://community.splunk.com/t5/Splunk-Search/LDAP-Grou... See more...
I am trying to increase the "Network Socket timeout" in the LDAP group configuration.  I tried modifying parameters as mentioned in this vlog: https://community.splunk.com/t5/Splunk-Search/LDAP-Group-Configuration-Can-I-increase-the-search-request-time/m-p/137841. Though the value reflects fine on UI, when I edit anything on UI for LDAP settings it errors out with the message - "Invalid network timeout". Am unable to figure out which is the param against which the set value is verified. Any help would be appreciated. TIA

How to troubleshoot email ingestion in Service Now that stopped?

by in Reporting
‎11-26-2022 05:13 PM
‎11-26-2022 05:13 PM
Our Splunk alerts were integrated to Service Now via email ingestion. But it suddenly stopped and we are not receiving tickets from SNow even though there are alerts triggered in Splunk. What is the ... See more...
Our Splunk alerts were integrated to Service Now via email ingestion. But it suddenly stopped and we are not receiving tickets from SNow even though there are alerts triggered in Splunk. What is the error for this and how can we troubleshoot this issue? Thank you
Labels

What is the 'Restart Splunkd' option for ?

by in Deployment Architecture
‎11-26-2022 05:35 AM
‎11-26-2022 05:35 AM
1) Which 'splunkd' is this referring to? The Universal Forwarder or Splunk Enterprise (the Deployment Server)? 2) 'After installation' of what....the deployment app? 3) Does this tick box cause... See more...
1) Which 'splunkd' is this referring to? The Universal Forwarder or Splunk Enterprise (the Deployment Server)? 2) 'After installation' of what....the deployment app? 3) Does this tick box cause the Universal Forwarder to restart each time there's a modification to the deployment app, e.g. a change to inputs.conf 

How to find the ips hitting the index waf?

by in Splunk Search
‎11-26-2022 02:46 AM
‎11-26-2022 02:46 AM
To find the ips hitting the index waf by client ip, if the hitting ips  present in  lookup table 2 have to be excluded and inplace of policy id we need policyname  from lookup table 1, we need only a... See more...
To find the ips hitting the index waf by client ip, if the hitting ips  present in  lookup table 2 have to be excluded and inplace of policy id we need policyname  from lookup table 1, we need only alert  from rules to be displayed in the search ClientIP PolicyID Rules details   194.38.20.161 199.249.230.183   xxxx yyyy zzzz alert deny   xxxx  xxxx  xxxx   lookup 1  PolicyID PolicyName xxxx prod yyyy ops zzzz xps   lookup 2 description            IP xyz 3.13.1561.11/16 abc 6.18.293.133/32 sdfdh 9.18.53.54/8 aftiml 2.57.344.66/64   Client_IP PolicyName Rules details   194.38.20.161 199.249.230.183 192.456.46.92 prod ops xps alert alert alert xydihflaf  hdkafhfh  yedukak   Ciao  
Labels

How to convert msDS-UserPasswordExpiryTimeComputed in date?

by in Splunk Search
‎11-26-2022 02:40 AM
‎11-26-2022 02:40 AM
Hi, From splunk search how to convert "msDS-UserPasswordExpiryTimeComputed" value recover from AD in date ? I wish to convert the value  with splunk command in date. Thank you 
Labels

How to subtract days from earliest?

by in Splunk Search
‎11-26-2022 02:20 AM
‎11-26-2022 02:20 AM
Hi, I need to subtract -30d from earliest, where earliest is counted by token. I tried to convert token result to unix time and subtract unix date counted from token- 2628000 but this doesn't wor... See more...
Hi, I need to subtract -30d from earliest, where earliest is counted by token. I tried to convert token result to unix time and subtract unix date counted from token- 2628000 but this doesn't work. The token will use day before today with hour 14:30 or 23:59 so I need to have this exact time for latest to be chosen but I need to look with earliest 30 days ago this exact date and time? index="*" sourcetype="*"  earliest=1669296600.000000-2628000.000000 latest=1669296600.000000 OR index="*" sourcetype="*"  earliest="11/24/2022 14:30:00"-30d latest="11/24/2022 14:30:00"   It is possible, could someone please help? Thank you in advance.  

I haven't received controller info after trial set up

by in Splunk AppDynamics
‎11-26-2022 01:59 AM
‎11-26-2022 01:59 AM
Hi team, I registered for a free trial and received the corresponding emails containing portal access information and password set-up procedure. The environment was in the process of being set up, ... See more...
Hi team, I registered for a free trial and received the corresponding emails containing portal access information and password set-up procedure. The environment was in the process of being set up, but it never got to the end. Neither have I received the connection details to the controller. Could you kindly assist/help? -Igor
Labels

Why can't I see the indexes I created in search results?

by in Getting Data In
‎11-25-2022 10:59 PM
‎11-25-2022 10:59 PM
hi pls am having problem viewing the indexes i created in my clustered environment. They were all created on the cluster manager ..._cluster and also same on the deployer but when i try to search the... See more...
hi pls am having problem viewing the indexes i created in my clustered environment. They were all created on the cluster manager ..._cluster and also same on the deployer but when i try to search them i don't get to see any of them. When i tried to check the indexer GUI i see them under indexes but not on the seacrhhead GUI. What am i doing wrong? Also i installed a TA (add-on for unix and linux) and tried to use one of the monitor stanza as a input on the DS; yet still not working. My serverclasses are fine. Below is the stanza i copied from the TA which i used in my inputs.conf in the local folder of the TA under deployment apps. Kindly assist. Thanxx 
Labels

Is Splunk able to integrate with google analytics?

by in Splunk User Behavior Analytics
‎11-25-2022 04:57 PM
‎11-25-2022 04:57 PM
Hi everyone could any one help me to know if splunk is able to integrate with google analytics.  Thanks in advance for any comment related it.
Labels

Is it possible to make the data source used by the dashboard conditional on the dropdown choice?

by in Splunk Search
‎11-25-2022 03:47 PM
‎11-25-2022 03:47 PM
I know with Splunk Dashboard Studio, conditional dashboard on dropdown choice aren't a possibility anymore, but is it possible to make the data source used by the dashboard conditional on the dropdow... See more...
I know with Splunk Dashboard Studio, conditional dashboard on dropdown choice aren't a possibility anymore, but is it possible to make the data source used by the dashboard conditional on the dropdown choice? That way, the dashboard could update dynamically.
Labels

How to create new columns from results?

by in Splunk Search
‎11-25-2022 11:55 AM
‎11-25-2022 11:55 AM
I'm trying to create table with the top 5 results split into columns, so that I can have multiple results per line, grouped by date. Here's what I have: |union [search index=Firewall BlockFromBadA... See more...
I'm trying to create table with the top 5 results split into columns, so that I can have multiple results per line, grouped by date. Here's what I have: |union [search index=Firewall BlockFromBadActor| top src_ip by Date limit=5 | rename count as IPCount] [search index=Firewall BlockFromBadActor| top dest_port by Date limit=5 | rename count as PortCount] | stats values(*) as * by Date | fields Date,src_ip,IPCount,dest_port,PortCount Date src_ip IPCount dest_port PortCount 2022/11/25 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 5.5.5.5 5000 4000 3000 2000 1000 1 2 3 4 5 5000 4000 3000 2000 1000 2022/11/24 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 5.5.5.5 5000 4000 3000 2000 1000 1 2 3 4 5 5000 4000 3000 2000 1000   What I'm trying to get Date IP 1 IP1 Count IP 2 IP 2 Count Port 1 Port 1 Count Port 2 Port 2 Count 2022/11/25 1.1.1.1 5000 2.2.2.2 4000 1 5000 2 4000 2022/11/24 1.1.1.1 5000 2.2.2.2 4000 1 5000 2 4000 I cannot seem to find any way to make the individual query results into new columns.
Labels

Does Salesforce Add-On contain deprecated functions by default?

by in All Apps and Add-ons
‎11-25-2022 09:33 AM
‎11-25-2022 09:33 AM
Happy Friday Splunkers,   We are attempting to on board data from the Salesforce but after reviewing the _internal index we are receiving multiple errors for deprecated functions that come defaul... See more...
Happy Friday Splunkers,   We are attempting to on board data from the Salesforce but after reviewing the _internal index we are receiving multiple errors for deprecated functions that come default within the add-on. Has any one else experience anything similar to this or is it possible there is a misconfiguration somewhere?   From the looks of it a python script will need to be modified.       11-25-2022 12:12:48.735 -0500 ERROR PersistentScript - From {/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_TA_salesforce/bin/Splunk_TA_salesforce_rh_account.py persistent}: return func(*args, **kwargs) 11-25-2022 12:12:48.735 -0500 ERROR PersistentScript - From {/opt/splunk/bin/python3.7 /opt/splunk/etc/apps/Splunk_TA_salesforce/bin/Splunk_TA_salesforce_rh_account.py persistent}: /opt/splunk/etc/apps/Splunk_TA_salesforce/lib/solnlib/utils.py:153: UserWarning: _get_all_passwords is deprecated, please use get_all_passwords_in_realm instead.      
Labels

Google Import/Export can't choose file for security key

by in All Apps and Add-ons
‎11-25-2022 09:15 AM
‎11-25-2022 09:15 AM
When navigating to google_drive_setup dashboard in SplunkCloud, I get the following HTML Error: common.js:1851 TypeError: Cannot set properties of null (setting 'ondragover') at... See more...
When navigating to google_drive_setup dashboard in SplunkCloud, I get the following HTML Error: common.js:1851 TypeError: Cannot set properties of null (setting 'ondragover') at i.setupDragDropHandlerOnElement (eval at _runScript (dashboard_1.1.js:347:86275), <anonymous>:55:32) at i.setupDragDropHandlers (eval at _runScript (dashboard_1.1.js:347:86275), <anonymous>:46:16) at i.initialize (eval at _runScript (dashboard_1.1.js:347:86275), <anonymous>:36:16) at t.View (common.js:1506:229444) at i.constructor (common.js:1851:1033344) at i [as constructor] (common.js:1506:236387) at new i (common.js:1506:236387) at eval (eval at _runScript (dashboard_1.1.js:347:86275), <anonymous>:349:23) at Object.execCb (eval at e.exports (common.js:629:64344), <anonymous>:1658:33) at Module.check (eval at e.exports (common.js:629:64344), <anonymous>:869:55) Since I am on SplunkCloud, I dont have access to create a passwords.conf manually. I am running 9.0.2 SplunkCloud. I don't get any errorlogs in Splunk _internal related to the page. Does anyone have a solution for resolving this? @LukeMurphey?

How to avoid events not being returned in sub-second error?

by in Splunk Enterprise
‎11-25-2022 09:12 AM
‎11-25-2022 09:12 AM
Hi All, getting following error in splunk: "Events may not be returned in sub-second order due to search memory limits . See search.log for more information. settings: [search]:max_rawsize_perchu... See more...
Hi All, getting following error in splunk: "Events may not be returned in sub-second order due to search memory limits . See search.log for more information. settings: [search]:max_rawsize_perchunk" when i am searching for paticular time range like : 4 to 8 i am getting this error. but if i search for last 15 mins or 24 hours or last 7 days i am not getting the error. I understood : that between 4 to 8 timerange there where lot events coming for one second. 1. below are my  props configured and sample logs: 20221012453012 20220812453012 20220912453012 20220612453012 H1S98765~~PR~;R ESC~AB~Thu Oct 12 12:34:56 IST 2022~B~1.22~2.22~3456.98~GF~4356BV H1S98765~~PR~;Z ESC~AB~Thu Oct 12 12:34:56 IST 2022~B~1.22~2.22~3456.98~GF~4356BV H1S98765~~PR~;M ESC~AB~Thu Oct 12 12:34:56 IST 2022~B~1.22~2.22~3456.98~GF~4356BV H1S98765~~PR~;T ESC~AB~Thu Oct 12 12:34:56 IST 2022~B~1.22~2.22~3456.98~GF~4356BV [logs:health:app] truncate=10000 time_prefix=(?:[^~]+~)~(?:[^~]+~){3} time_format=%a %b %d %H: %M: %S  %Z disable=false max_timestamp_lookahead=75 charset=UFT_8 no_binary_check=true datetime_config=CURRENT should_linenerge=false line_breaker=([\r\n]+)\w{8}~~ annotate_punct=false   2. below are my  props configured and sample logs: [10/07/22 12:55:40"7451 IST] 89786545 medapplog  9[10/07/22 12:55:40"7451 IST-897654] [app=med, sucees=0, failed=10, validpoints=100]  the events are assocuiated with the med application user=app client=med [08/07/22 12:55:40"7451 IST] 89786545 medapplog  9[10/07/22 12:55:40"7451 IST-897654] [app=med, sucees=0, failed=10, validpoints=100]  the events are assocuiated with the med application user=app client=med [10/12/22 12:55:40"7451 IST] 89786545 medapplog  9[10/07/22 12:55:40"7451 IST-897654] [app=med, sucees=0, failed=10, validpoints=100]  the events are assocuiated with the med application user=app client=med [logs:med:app] time_prefix=^\[ time_format=%m %d %y  %H: %M: %S: %3Q  %Z max_timestamp_lookahead=30 should_linenerge=false line_breaker=([\r\n]+)\[\d{1,2}\/\d{1,2}\/\d{2}\s\d{1,2}:\d{2}:\d{2}:\d{3}\s\D{3}\] truncate=99999 please let me know how to avoid this error coming when i search.
Labels