All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am currently trying to set up the Splunk_SA_CIM application but it displays "An error occurred fetching assets. Please try again." without any additional indications.    Splunk_SA_CIM was insta... See more...
I am currently trying to set up the Splunk_SA_CIM application but it displays "An error occurred fetching assets. Please try again." without any additional indications.    Splunk_SA_CIM was installed with our Enterprise Security and is currently  at version 4.18.0. I already checked documentation and my user has the accelerate_datamodel capability. I didn't find any ressource online that could indicate what is wrong... 
hi I am trying to get my dashboard better and move all of the different searches to a single/couple of base searches and then post processing. did what I saw in the forum and the documentation, did... See more...
hi I am trying to get my dashboard better and move all of the different searches to a single/couple of base searches and then post processing. did what I saw in the forum and the documentation, didnt give any results... original code (which gives results): <form> <label>Emulation run analysis</label> <fieldset submitButton="false" autoRun="true"> <input type="time" token="TimeRangePkr" searchWhenChanged="true"> <label>Time Range</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="steppingToken" searchWhenChanged="true"> <label>Stepping</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>stepping</fieldForLabel> <fieldForValue>stepping</fieldForValue> <search> <query>index=validation_bigcore aa_data_source="core_emu_run_info" |stats count by stepping</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> </input> </fieldset> </form> code I am trying with base search: <form> <label>Emulation run analysis</label> <search id="baseSearch"> <query>index=validation_bigcore aa_data_source="core_emu_run_info"</query> <earliest>$TimeRangePkr.earliest$</earliest> <latest>$TimeRangePkr.latest$</latest> </search> <fieldset submitButton="false" autoRun="true"> <input type="time" token="TimeRangePkr" searchWhenChanged="true"> <label>Time Range</label> <default> <earliest>-7d@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="steppingToken" searchWhenChanged="true"> <label>Stepping</label> <choice value="*">All</choice> <default>*</default> <fieldForLabel>stepping</fieldForLabel> <fieldForValue>stepping</fieldForValue> <search base="baseSearch"> <query> |stats count by stepping</query> </search> </input> </fieldset> </form>   tried playing with the earliest/latest to be in base-search, in the post processing, in both, none gave results so probably not that any ideas what am I doing wrong? thanks, Noam
Hi All,   I have data as below, my requirement is to append/merge both the columns and then for each year split the column into multiple and place the details for one year field value adjacent to t... See more...
Hi All,   I have data as below, my requirement is to append/merge both the columns and then for each year split the column into multiple and place the details for one year field value adjacent to the previous one.   Merging part can be taken care, i need the solution for splitting columns part. Can someone please help how to achieve this.   SPL:   |rex field=_raw "(?<Date>\d{4}-\d{2}-\d{2}\s\d{2}:\d{2}:\d{2})" | rex field=_raw "\w+:\s(?<Year>(\d+))\sQ" | rex field=_raw "\d+\s(?<Quarter>(Q\d)):" |rex field=_raw "\s+(?<Count>(\d+M))" |table Year,Quarter,Count |strcat Quarter " " Count Task |fields - Quarter Count |strcat Year " " Task Ask |fields - Year Task   Below is the expected result. 2021           2022 Q4 2m         Q4 5m Q3 1m         Q3 7m Q2 2m         Q2 8m Q1 0m         Q1 5m
I am having issue with "Status" values as below and screenshot, please find below json and search query. Please advise!! Appreciate your help!   EventDate( 21/10/2022) EventDate( 20/1... See more...
I am having issue with "Status" values as below and screenshot, please find below json and search query. Please advise!! Appreciate your help!   EventDate( 21/10/2022) EventDate( 20/10/2022) Expected "Status" DOCUMENT_ERROR:2 DOCUMENT_REQUEST_RECEIVED:2   Actual "Status" DOCUMENT_REQUEST_RECEIVED:2 DOCUMENT_ERROR:2   |eval Status = mvzip('eventData{}.eventStatusCount{}.status', 'eventData{}.eventStatusCount{}.count', ":") | table "eventData{}.eventDate","eventData{}.ReceivedCount", "eventData{}.ProcessedCount","eventData{}.MismatchCount","Status" | rename eventData{}.eventDate as "EventDate",eventData{}.ReceivedCount as "Total Event Received Count", eventData{}.ProcessedCount as "Total Event Processed Count", eventData{}.MismatchCount as "Total Event Mismatch Count"   "eventData": [ { "eventDate": "2022-10-20", "eventKey": "event.request", "ProcessedCount": 0, "eventStatusCount": [], "ReceivedCount": 100, "MismatchCount": 100 }, { "eventDate": "2022-10-21", "eventKey": "event.request", "ProcessedCount": 2, "eventStatusCount": [ { "status": "DOCUMENT_ERROR", "count": 2 }, { "status": "DOCUMENT_REQUEST_RECEIVED", "count": 2 } ], "ReceivedCount": 1000, "MismatchCount": 998 } ]    
Good Day,               I am a brand new Splunk user who recently downloaded the free trial splunk license. I was using it in conjunction with a class from Udemy. Yesterday I did something to recei... See more...
Good Day,               I am a brand new Splunk user who recently downloaded the free trial splunk license. I was using it in conjunction with a class from Udemy. Yesterday I did something to receive a license warning. I have no idea what I did or how to get rid of the searches that are causing the warnings. Any help would be greatly appreciated.
Hi, Sometimes if we are doing base search, if not handled properly, you will see page loading, how do you handle it? Regards Suman P.
I have read all the posts about "merging fields" and none of the options work for me. I have events where the same value can come in fields with different names. For example, one has the Action in ... See more...
I have read all the posts about "merging fields" and none of the options work for me. I have events where the same value can come in fields with different names. For example, one has the Action in a field called "act" and another the field is "actResult". I tried to use: |eval Action = coalesce("act","actResult") |eval Action = mvappend("act","actResult") But both optiones is generating a field with "act" and "actResult" as value, removing all actual values. And also tried: |rename act as Action actResult as Action But it doesn't work Any ideas?  
Hi SMEs, Seeking advice on how i can create a rule/correlation search to detect some RHEL known vulnerabilities (CVEs)
In my new dashboard, I use the Kmeans algorithm twice.  The clustering is different in each case, is there a way to fix the random seed used within the algorithm?  I want to fix the random nature of ... See more...
In my new dashboard, I use the Kmeans algorithm twice.  The clustering is different in each case, is there a way to fix the random seed used within the algorithm?  I want to fix the random nature of the algorithm so that I get repeatable clustering.     Thank you
Hi, after upgrade to Splunk 9.0.2 the UFMA started to use https://[::1]:8089/services/deployment/server/clients?count=0 for REST API call which resulted into 400 Host header contains invalid charact... See more...
Hi, after upgrade to Splunk 9.0.2 the UFMA started to use https://[::1]:8089/services/deployment/server/clients?count=0 for REST API call which resulted into 400 Host header contains invalid characters. I was able to 'fix' this by adding connectUsingIpVersion = 4-first to [general] section in server.conf. What would be the correct way?
raw event {... "jvm_cmd":"bin/java -Dp -Dp1=v1-Dp2=v2 -Dq -Dp3=v3 ..."} How to extract, kv pair from jvm_cmd value & print those in Splunk search? I am not admin. So, I can't change props.conf ... See more...
raw event {... "jvm_cmd":"bin/java -Dp -Dp1=v1-Dp2=v2 -Dq -Dp3=v3 ..."} How to extract, kv pair from jvm_cmd value & print those in Splunk search? I am not admin. So, I can't change props.conf or transform.conf. I tried https://community.splunk.com/t5/Splunk-Search/Using-KV-MODE-auto-in-props-conf-how-do-I-get-a-search-time/m-p/240834 and rex without any success. Any help will be much appreciated    
I have the following table of activities: Internal External Direction 1.1.1.1 2.2.2.2 Outbound 3.3.3.3 4.4.4.4 Inbound 5.5.5.5 4.4.4.4 Inbound 1.1.... See more...
I have the following table of activities: Internal External Direction 1.1.1.1 2.2.2.2 Outbound 3.3.3.3 4.4.4.4 Inbound 5.5.5.5 4.4.4.4 Inbound 1.1.1.1 8.8.8.8 Outbound   I want to group them by either Internal OR External, based on what is in the Direction field, if its Outbound I want to group by Internal , if its Inbound I want to group by External, and get the count. I would like to get the following table as a result: Internal External Count Grouped by Direction 1.1.1.1 2.2.2.2 8.8.8.8 2 1.1.1.1 Outbound 3.3.3.3 5.5.5.5 4.4.4.4 2 4.4.4.4 Inbound Thanks.
Let's say we have couple of fields in our dataset (called my_dataset) : event_time, event_type, user, field1 and field2. Now, we want to make a search that: distinct count of field1>X OR distinct c... See more...
Let's say we have couple of fields in our dataset (called my_dataset) : event_time, event_type, user, field1 and field2. Now, we want to make a search that: distinct count of field1>X OR distinct count of field2>Y happen within Z minutes from when a specific event_type (let's call that value type1) happens for the first time. In other words, this search counts number of different field1 or field2 unique values within Z minutes from first type1 (but it searches all event_type values when counting field1 and field2"). I tried: | tstats ... from datamodel=my_dataset groupby _time | eval detection_time_end=strftime((relative_time(event_time,"+`Z`")), "%F %T.%Q"), only_type1=if((event_type="type1"),1,null) | stats earliest(event_time) as earliest_time, earliest(detection_time_end) as end_of_detection_time, dc(field1) as number_of_different_field1_events, dc(field2) as number_of_different_field2_events, by user, only_type1 This only takes me so far and I'm not sure what to do next. I get statistics of earliest time and end of detection time of type1 per user with total distinct counts of field1 and field2 events. I guess I have to use subsearch here? Any help is appreciated here since I got really stuck with this one. Thanks!
Hi, I have an application that is 2 tiers and all tiers are hosted on 2 nodes. We need to monitor the application's uptime and downtime. If the last 7 days the application is down in one day we n... See more...
Hi, I have an application that is 2 tiers and all tiers are hosted on 2 nodes. We need to monitor the application's uptime and downtime. If the last 7 days the application is down in one day we need a percentage that says that the application is up 6 days and down 1 day  Is it possible to do this? ^ Post edited by @Ryan.Paredez for formatting 
hi team, 1. I have a query with below 2 columns returned only PQ, ACT pq1, act1 PQ1, act2 pQ1, act3 pq2, act4 QP2, act5 Pq2, act6 pq3, act7 Pq3, act8 pq_3, act9 ...   2. Then I have... See more...
hi team, 1. I have a query with below 2 columns returned only PQ, ACT pq1, act1 PQ1, act2 pQ1, act3 pq2, act4 QP2, act5 Pq2, act6 pq3, act7 Pq3, act8 pq_3, act9 ...   2. Then I have a standard pq list csv file uploaded in splunk. In the csv file, there is a clumn called 'pq' with a standard pq values defined. please check below sample. PQ pq1 pq2 pq3 pq4 pq5 pq6 ...   3. I want to compare the pq values in the splunk query result with the lookup csv file to find out       a) return the  PQ  and ACT that the PQ value is not exactly matched with the one defined in lookup file, include case sensitive issue.      b) return the PQ and ACT that the PQ value is in the query result but not in the lookup table      c) return the PQ and ACT that PQ value is not in the query but in the lookup table.   How to compose the query to meet the 3 requirements in step3?   BestRegards!   
Hi, What are the limitations on subsearch? Please give one or two, please? This is an interview question. Regards Suman P.
Hi All,  we have few dashboards which are using summary indexes to populate data. Few users reported that they are unable to see any values when they access respective dashboards (Issue is reproduci... See more...
Hi All,  we have few dashboards which are using summary indexes to populate data. Few users reported that they are unable to see any values when they access respective dashboards (Issue is reproducible as well).  However, when I logged in admin user the dashboards are just working fine & values are up to date. I have validated the roles assigned (authorize.conf) and it seems good and have access to summary indexes.  [role_example_user] srchIndexesAllowed = example_index;example_index2;summary_index1;summary_index2 srchMaxTime = 144000 importRoles = default_user Also, validated default.meta configs and respective role has read access to the saved searches, views etc. [savedsearches/summary_index1] access = read : [ admin, role_example_user ], write : [ ] export = none owner = test_user Still users with respective roles can't see anything on dashboards.  Please let me know how I can fix this issue. 
Hi All, these are the logger info counts which are generated in splunk  Total numner where inds-a 20 Total numner where inds-b 30 Total numner where inds-c 40 Total numner where inds-d 50 ... See more...
Hi All, these are the logger info counts which are generated in splunk  Total numner where inds-a 20 Total numner where inds-b 30 Total numner where inds-c 40 Total numner where inds-d 50   i need to create a alert based on inds-c percentage if inds-c is greater than 10% it should create a alert below is the search query i am trying but it has some issue with the rex part ,any suggestions index=abc log_severity=INFO OR WARN appname=doc country=ind earlies=@d |rex "Total Number where inds-c (?<counts>\d+)" |rex "Total Number where inds-* (?<Allcounts>\d+)" eval percentage=((counts/Allcounts)*100) where percentage>=10
Hello everyone, I have noticed that some users in our Splunk environment are always using base searches and Post-process searches, because they was told that was a good practice to do that. But t... See more...
Hello everyone, I have noticed that some users in our Splunk environment are always using base searches and Post-process searches, because they was told that was a good practice to do that. But there are some cases I have noticed that the use of the base search is not speeding up the dashboard instead spent more time. For example there is a dashboard that uses a base search and they use something like this: Base search index=example sourcetype=testing | fields *   And then at the subsearch I can see that when Splunk uses that best search is doing something weird adding the | fields *  at search for example: Example: index=example sourcetype=testing | fields * | eval Date=strftime(_time, "%m/%d/%Y") | dedup s1, s1 | fields * | search something=tosearch | fields * | eval _time = strptime(Date,"%m/%d/%Y") When the post-search is <query> | eval Date=strftime(_time, "%m/%d/%Y") | dedup s1, s1 | search something=tosearch | eval _time = strptime(Date,"%m/%d/%Y") </query>   So I would like to understand why Splunk does it. And also I would like to know if there are some scenarios where use the base search is not recommended.   Thanks in advantage. Best Regards,
Hi wonderful people. I wanted to know if we can combine two services in splunk to get an output  | rest /services/authentication/users splunk_server=local  and    | rest /services/admin/SAML-g... See more...
Hi wonderful people. I wanted to know if we can combine two services in splunk to get an output  | rest /services/authentication/users splunk_server=local  and    | rest /services/admin/SAML-groups splunk_server=local   how can I combine the above two to get the results in one query