All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I get strange errors when searching messages by old dates. If I put a search for more than two hours, I immediately get the following errors: 2 errors occurred while the search was executing. The... See more...
I get strange errors when searching messages by old dates. If I put a search for more than two hours, I immediately get the following errors: 2 errors occurred while the search was executing. Therefore, search results might be incomplete. 'stats' command: limit for values of field 'Time' reached. Some values may have been truncated or ignored. 'stats' command: limit for values of field 'messageType' reached. Some values may have been truncated or ignored. From four days: 4 errors occurred while the search was executing. Therefore, search results might be incomplete.  'stats' command: limit for values of field 'Time' reached. Some values may have been truncated or ignored. 'stats' command: limit for values of field 'eventTime' reached. Some values may have been truncated or ignored. 'stats' command: limit for values of field 'messageId' reached. Some values may have been truncated or ignored. 'stats' command: limit for values of field 'messageType' reached. Some values may have been truncated or ignored. One of my requests: index="external_system" messageType="RABIS-HeartBeat" | eval timeValue='eventTime' | eval time=strptime(timeValue,"%Y-%m-%dT%H:%M:%S") | sort -_time | eval timeValue='eventTime' | eval time=strptime(timeValue,"%Y-%m-%dT%H:%M:%S") | eval Time=strftime(_time,"%Y-%m-%dT%H:%M:%S") | stats list(Time) as Time list(eventTime) as EventTime list(messageType) as MessageType list(messageId) as Messag11eId by messageType   Message example: curl --location --request POST 'http://mon.pd.dev.sis.org:8088/services/collector/raw' --header 'Authorization: Splunk 02-93-48-9-27' --header 'Content-Type: text/plain' --data-raw '{ "messageType": "HeartBeat", "eventTime": "2022-11-14T13:34:15", "messageId": "ED280816-E404-444A-A2D9-FFD2D171F9999" }' Can you please tell me how to solve these problems?  
Earlier we used to run on ec2 instance, and in splunk we had an extracted field called as "host", in which we used to get an ip address of the host. But since we have moved away from ec2 to fargate i... See more...
Earlier we used to run on ec2 instance, and in splunk we had an extracted field called as "host", in which we used to get an ip address of the host. But since we have moved away from ec2 to fargate i want to replace the host with taskid and get all taskids in the extraction field called as "task". Any help appreciated 
Hi peeps, Need help to do some query. Basically I'm trying to group some of field value in the 'Category' field into new fields call 'newCategory'. Below are the sample of data: The newCateg... See more...
Hi peeps, Need help to do some query. Basically I'm trying to group some of field value in the 'Category' field into new fields call 'newCategory'. Below are the sample of data: The newCategory field will have the new count for each of the new field value (such as Anonymizers, Gambling, Malicious Site). Please help.  Thank you.  
Hi there, I used to have a couple of alerts which worked using a crons expression from Monday to Saturday (*/15 7-19 * * 1-) and another for Sunday (*/15 10-15 * * 0). The requirements changed so I... See more...
Hi there, I used to have a couple of alerts which worked using a crons expression from Monday to Saturday (*/15 7-19 * * 1-) and another for Sunday (*/15 10-15 * * 0). The requirements changed so I needed the Saturday and Sunday alert timings to be the same. I used (*/15 10-15 * * 6-7) but that didn't that didn't trigger an alert. I tried */15 10-15 * * SAT-SUN but it doesn't accept that format.   Can you help me with a crons expression for Saturday and Sunday?
Hi,  May I check whether is there character limits when sending data to Splunk? Is there 10000 limit on Splunk Enterprise version 8.0.5?   Thanks!
Hi, I am working with firewall logs in external IP's ,  I want to collect blocked IP's from the firewall, and blocked reason mean, why is the firewall blocked this external IP,  so wanna create a que... See more...
Hi, I am working with firewall logs in external IP's ,  I want to collect blocked IP's from the firewall, and blocked reason mean, why is the firewall blocked this external IP,  so wanna create a query to identify blocked IP's by firewall and the reason , signature of the firewall rule, please help me into this, the tstat  could be useful.    
I just enabled my indexer discovery on my master node and on my deployment server.  I then added three (3) new indexers. I have added the new indexers to the license master and also did indexer clust... See more...
I just enabled my indexer discovery on my master node and on my deployment server.  I then added three (3) new indexers. I have added the new indexers to the license master and also did indexer clustering on the three new indexers. Then I discover the following 1. My pass4SmmyKey is still showing (ie it did not ash) 2. The Ip addresses of the new indexers added were not updated in the deployment server so not also updated in deployment clients
splunkforwarder-monitor exit itself, and I got following message. I saw a similar issue reported for splunk version prior 6.1.3. But in my case, we are using version 8.1.3 [root@em21 splunkforwarde... See more...
splunkforwarder-monitor exit itself, and I got following message. I saw a similar issue reported for splunk version prior 6.1.3. But in my case, we are using version 8.1.3 [root@em21 splunkforwarder]# systemctl status splunkforwarder -l * splunkforwarder.service - Splunk Universal Forwarder Process Monitor Loaded: loaded (/etc/systemd/system/splunkforwarder.service; enabled; vendor preset: disabled) Active: inactive (dead) since Wed 2022-11-02 00:11:03 UTC; 1 weeks 4 days ago Process: 45771 ExecStop=/etc/splunk/splunkforwarder-monitor stop (code=exited, status=0/SUCCESS) Process: 38220 ExecStart=/etc/splunk/splunkforwarder-monitor start (code=exited, status=0/SUCCESS) Main PID: 38220 (code=exited, status=0/SUCCESS) Memory: 6.4M CGroup: /system.slice/splunkforwarder.service Nov 01 23:56:51 em21 splunkforwarder-monitor[38220]: Done Nov 01 23:56:51 em21 splunkforwarder-monitor[38220]: Checking default conf files for edits... Nov 01 23:56:51 em21 splunkforwarder-monitor[38220]: Validating installed files against hashes from '/opt/splunkforwarder/splunkforwarder-8.1.3-63079c59e632-linux-2.6-x86_64-manifest' Nov 01 23:56:52 em21 splunkforwarder-monitor[38220]: [ OK ] Nov 01 23:56:52 em21 splunkforwarder-monitor[38220]: All installed files intact. Nov 01 23:56:52 em21 splunkforwarder-monitor[38220]: Done Nov 01 23:56:52 em21 splunkforwarder-monitor[38220]: All preliminary checks passed. Nov 01 23:56:52 em21 splunkforwarder-monitor[38220]: Starting splunk server daemon (splunkd)... Nov 01 23:56:52 em21 splunkforwarder-monitor[38220]: Done Nov 02 00:11:03 em21 splunkforwarder-monitor[38220]: INFO: /opt/splunkforwarder/var/run/splunk/conf-mutator.pid is gone, which indicates that splunk existed successfully. Quiting splunkforwarder-monitor... [root@em21 splunkforwarder]#   [root@em21 splunkforwarder]# rpm -qa | grep splunk splunkforwarder-configure-3.7-48.noarch splunkforwarder-8.1.3-63079c59e632.x86_64 [root@em21 splunkforwarder]#
Can someone give some steps on this issue  Push Unnecessary: manager-apps and master-apps are both populated. There can be only one. Bundle push blocked until all bundles are either in manager-apps... See more...
Can someone give some steps on this issue  Push Unnecessary: manager-apps and master-apps are both populated. There can be only one. Bundle push blocked until all bundles are either in manager-apps (preferred) or master-apps.
Hi, all I took a trial for 14 days, set up integration with Kubernetes (EKS) and tried to configure 4 services (of the same type, Java) to send traces. Installed Helm-chart with splunk-otel-colle... See more...
Hi, all I took a trial for 14 days, set up integration with Kubernetes (EKS) and tried to configure 4 services (of the same type, Java) to send traces. Installed Helm-chart with splunk-otel-collector + integrated splunk-otel-javaagent.jar (all according to the instructions in the section Integration) All services have the same configuration.  But 1 service send traces, other 3 - not.  (BTW, early the same 4 services in DataDog give traces, without problems) There are no errors in the logs similar to these: https://github.com/signalfx/splunk-otel-java/blob/main/docs/troubleshooting.md Have any ideas for checks ?  Thanks
While trying to change password on a Splunk HF, and getting below error /opt/splunk/bin/splunk edit user admin -password new_passowrd -role admin -auth admin:changeme ---> "Couldn't complete HTTP... See more...
While trying to change password on a Splunk HF, and getting below error /opt/splunk/bin/splunk edit user admin -password new_passowrd -role admin -auth admin:changeme ---> "Couldn't complete HTTP request: Connection reset by peer error" Your help would be much apprecaited 
Hello Guys I'm trying to ingest exported sysmon logs file to Splunk. I got the file from Splunk attack_data repository. I have already installed Microsoft sysmon add-ons. Splunk attack_data's lin... See more...
Hello Guys I'm trying to ingest exported sysmon logs file to Splunk. I got the file from Splunk attack_data repository. I have already installed Microsoft sysmon add-ons. Splunk attack_data's link:    Every time when I choose xmlWinEventLog:Microsoft-Windows-Sysmon/Operational as a source type, it gives me error Not found.  appreciate your support, how can I ingest exported sysmon logs to splunk?   Thanks, Awni
Rollback during Installation Splunk Enterprise in Windows 64 bit Please i need the help.  
Hi All, One of our new client interested to use Splunk tool to monitor their application.  To setup Splunk for their application what are the initial details we need to ask to Client to configure S... See more...
Hi All, One of our new client interested to use Splunk tool to monitor their application.  To setup Splunk for their application what are the initial details we need to ask to Client to configure Splunk. Like which OS they use, How many servers, which cloud , which database, etc.. If there is any template available to get the basic required details from client kindly share with me. or what are the specific details we need to request them. Thanks in advance. 
Hi All, Currently we are using 3 Heavy Forwarder in Windows server. Due to budget problem we are planning to move all HF to Linux server.  Kindly guide and suggest how to move HF from Windows to Li... See more...
Hi All, Currently we are using 3 Heavy Forwarder in Windows server. Due to budget problem we are planning to move all HF to Linux server.  Kindly guide and suggest how to move HF from Windows to Linux.  How to copy to already installed apps and existing settings and configuration files from windows to Linux? Thank in advance for your reply.  
Hello ,  I need to find which is the limit of user that can  be online using Splunk Enterprise at the same time ; I have a search head cluster of 4 SH and 1 balancer  thanks 
Do all HOT buckets of one indexer migrate to WARM buckets and create small buckets because the connection between the indexer and the cluster master was broken?
Hello: I am trying to get fields from different events in the same table. I have two different events, and let's say they have these fields: First event: Field1 = A Field2 = B Second even... See more...
Hello: I am trying to get fields from different events in the same table. I have two different events, and let's say they have these fields: First event: Field1 = A Field2 = B Second event: Field1 = A Field3 = C So if I run the following:  index=whatever sourcetype=whatever | table Field1 Field2 Field3 I get a table like such: Field1               Field2              Field3 A                             B A                                                       C   I am trying to get the table to look like this, because Field1 is the same value: Field1                       Field2                   Field3 A                                     B                               C Basically, I am trying to pull a value from one event where the message IDs or session IDs are unique, and have Splunk go find another event with matching message IDs, and grab a different value from that separate event and output it to the same row in a table so the values in the table correspond with their respective message IDs.
Let's say I have data in an event that looks like this:       NAME: John NAME: Mary NAME: Sue       Assuming I have no idea how many names will exist in the event, is it possible to ... See more...
Let's say I have data in an event that looks like this:       NAME: John NAME: Mary NAME: Sue       Assuming I have no idea how many names will exist in the event, is it possible to use the rex command to parse out all the names and display them in separate fields? Thanks, Jonathan
Hi there!  I'm wondering if anyone out there has experience with using Data Manager for Azure onboarding. According to this link https://docs.splunk.com/Documentation/DM/1.7.0/User/GDIOverview#Gett... See more...
Hi there!  I'm wondering if anyone out there has experience with using Data Manager for Azure onboarding. According to this link https://docs.splunk.com/Documentation/DM/1.7.0/User/GDIOverview#Getting_data_in_for_Microsoft_Azure it shows that there are only TWO supported sourcetypes, azure:monitor:aad and azure:monitor:activity. The searches for Enterprise Security Analytic Stories for Azure uses a macro named azuread which is looking for a specific sourcetype (mscs:azure:eventhub).  Does DM contain that sourcetype needed for the ES stories?  Or will I still need to be ingesting eventhub via the Splunk Add-on for Microsoft Cloud Services TA?