All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I am looking for an alert when any search in (rest /services/saved/searches splunk_server=local) is being modified.
Good afternoon! I send a message like this: curl --location --request POST 'http://test.test.org:8088/services/collector/raw' --header 'Authorization: Splunk 0202-0404-4949-9c-27' --header 'Conten... See more...
Good afternoon! I send a message like this: curl --location --request POST 'http://test.test.org:8088/services/collector/raw' --header 'Authorization: Splunk 0202-0404-4949-9c-27' --header 'Content-Type: text/plain' --data-raw '{ "messageId": "ED280816-E404-444A-A2D9-FFD2D171F323", "messageType": "RABIS-HeartBeat", "eventTime": "2022-10-13T18:08:00", }' The message arrives in splunk, but I don't see the field: "eventTime": "2022-10-13T18:08:00" I have shown an example in the screenshot. Please let me know which time format I need to use.
We have  indexer cluster deployment. We recently added additional memory to all the indexers. In splunk monitoring console the new diskspace details are not updated. In the rest URI path '/services... See more...
We have  indexer cluster deployment. We recently added additional memory to all the indexers. In splunk monitoring console the new diskspace details are not updated. In the rest URI path '/services/server/status/partitions-space' the correct diskspace details are not updated. We are using below SPL to fetch diskspace details in monitoring console dashboard:   | rest splunk_server=* /services/server/status/partitions-space | eval free = if(isnotnull(available), available, free) | eval usage = round((capacity - free) / 1024, 2) | eval capacity = round(capacity / 1024, 2) | eval compare_usage = usage." / ".capacity | eval pct_usage = round(usage / capacity * 100, 2) | stats first(fs_type) as fs_type first(compare_usage) AS compare_usage first(pct_usage) as pct_usage by mount_point | rename mount_point as "Mount Point", fs_type as "File System Type", compare_usage as "Disk Usage (GB)", pct_usage as "Disk Usage (%)"
As my original subject led to some weird error message about message flooding - here it is again: Subject: Invalid key in stanza - splunk_instrumentation - savedseaches.conf v8.2.9 Version 8.2.9 ... See more...
As my original subject led to some weird error message about message flooding - here it is again: Subject: Invalid key in stanza - splunk_instrumentation - savedseaches.conf v8.2.9 Version 8.2.9 (Linux, tgz-version) brings the "Invalid key in stanza" error in line 451 of `/opt/splunk/etc/apps/splunk_instrumentation/default/savedsearches.conf` - file. This wasn't the case in v.8.27. It turns out that the named file differs in one character between the two versions: A space added after the "\" (for line continuation) in v8.2.9. After removing that single space the `splunk restart` command run through without errors.
Hi,  I am looking to create timeseries graph based on multiple fields. we could have multiple hosts and each host have multiple CPU.  Looking best approach to visualize it. Thanks
Hello, I have installed an App, and the data in APP is written to "MAIN" index. When I am search for DATA from the APP, it works fine. Below is the my search query index="main" source=jira Howev... See more...
Hello, I have installed an App, and the data in APP is written to "MAIN" index. When I am search for DATA from the APP, it works fine. Below is the my search query index="main" source=jira However, when I search for the same data from Search App, the data is not visible, and hence when I try to create a dashboard, it is not functional. How can I make data searchable from Search App and from the App. Please advise. -- Thanks in Advance. Siddarth
Does anyone have any guide or documentation on how to integrate SnipeIT add-on with splunk? TIA https://splunkbase.splunk.com/app/6271
Hi Team,   i  tried created a dashboard with tab view.  used linklist to create a tabs. i would like to load the panels only when linked tab is clicked.  could some one please suggest me on h... See more...
Hi Team,   i  tried created a dashboard with tab view.  used linklist to create a tabs. i would like to load the panels only when linked tab is clicked.  could some one please suggest me on how to achieve that .   <form theme="dark"> <label>search_depends</label> <description>test</description> <init> <unset token="dont_run"></unset> <set token="run"></set> </init> <fieldset submitButton="false"> <input type="link" token="tok_tabs"> <label>tabs</label> <choice value="panel1">panel1</choice> <choice value="panel2">panel2</choice> <default>DataAnalysis</default> <change> <condition value="panel1"> <set token="panel1">true</set> <unset token="panel2"></unset> </condition> <condition value="panel2"> <set token="panel2">true</set> <unset token="panel1"></unset> </condition> </change> </input> </fieldset> <row depends="$panel1$"> <panel> <single> <title>load only panel1</title> <search depends="$run$" id="dont_run"> <query>|makeresults|eval data="Can you see me?!"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="refresh.display">progressbar</option> <option name="underLabel"># tickets closed last month</option> </single> </panel> </row> <row depends="$panel2$"> <panel> <single> <title>load only panel2</title> <search depends="$dont_run$" id="run"> <query>|makeresults|eval data="Can you see me?!"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="rangeColors">["0x53a051","0x0877a6","0xf8be34","0xf1813f","0xdc4e41"]</option> <option name="refresh.display">progressbar</option> <option name="underLabel"># tickets closed last month</option> </single> </panel> </row> </form>  
  hello sir  How i  add  spamhaus dataset in splunk ,???  any guide or process?? please help   i already installed Spamhaus Datasets for Splunk,
Hi there, I have a requirement where I have a large number of events which was uploaded on the 4th November but that needs to be changed to 1st November after it has been indexed. Is that possible?
Good afternoon! I'm noticing that my time format in the messages I send to /services/collector/raw isn't being parsed, or even vice versa, this field isn't displayed in splunk. My field is: "event... See more...
Good afternoon! I'm noticing that my time format in the messages I send to /services/collector/raw isn't being parsed, or even vice versa, this field isn't displayed in splunk. My field is: "eventTime": "2022-10-13T18:08:30", Please tell me the correct format.
Hi, I have events which are received when action is finished on my system. Event contains start and stop time for action and unique action_id.  So my event data is something like this: ... See more...
Hi, I have events which are received when action is finished on my system. Event contains start and stop time for action and unique action_id.  So my event data is something like this: I would like to get count of ongoing actions e.g with one minute resolution over selected time frame. How to do that ?
Hello Everyone, I have a field in this format and this information is fetched from a json array. Label  apple 1 apple 2 apple 3 banana 1 banana 2 banana 3   How can I split... See more...
Hello Everyone, I have a field in this format and this information is fetched from a json array. Label  apple 1 apple 2 apple 3 banana 1 banana 2 banana 3   How can I split this in  Apples Bananas  apple 1  banana 1 apple 2 banana 2 apple 3 banana 3   I'm not able to identify what character to use in the split function.I have read various solutions on this page but none of them match this situation.  Thanks in advance for any help you provide.  
Hi,  We have recently switched from Phantom to SOAR and I'm trying to send our triggered alerts to SOAR.  The TA we are using is Splunk for SOAR Export I have tested that from Splunk Enterp... See more...
Hi,  We have recently switched from Phantom to SOAR and I'm trying to send our triggered alerts to SOAR.  The TA we are using is Splunk for SOAR Export I have tested that from Splunk Enterprise to SOAR connect and it works. But I keep getting the following error for one alert     11-04-2022 05:31:21.724 +1100 WARN sendmodalert [17285 AlertNotifierWorker-0] - action=sendtophantom - Alert action script returned error code=1 11-04-2022 05:31:21.724 +1100 INFO sendmodalert [17285 AlertNotifierWorker-0] - action=sendtophantom - Alert action script completed in duration=1394 ms with exit code=1     This question was also asked in alerting as well. https://community.splunk.com/t5/Splunk-SOAR-f-k-a-Phantom/Unable-to-add-auth-token-or-add-phantom-instance/m-p/344908 But I feel like it could be the wrong channel.    
Hello everyone,  I am trying to find out what search string I could use to see what file was created after a malicious file was ran. The malicious file is called template.pdf, but I can't seem to fi... See more...
Hello everyone,  I am trying to find out what search string I could use to see what file was created after a malicious file was ran. The malicious file is called template.pdf, but I can't seem to figure out what search string to use to see what file was created after the user opened it. 
I use some strings in data to represent months. eg "2022-1" Run this in Search:       | makeresults format=csv data="Month 2022-1 2022-1 2022-7 2022-7 2022-7 2022-8 2022-9 2022-9 2022-9 202... See more...
I use some strings in data to represent months. eg "2022-1" Run this in Search:       | makeresults format=csv data="Month 2022-1 2022-1 2022-7 2022-7 2022-7 2022-8 2022-9 2022-9 2022-9 2022-10 2022-10 2022-10 2022-10 2022-9" | stats count by Month | sort Month       You get: Now use the Splunk query in Dashboard Studio for a Bar Chart: Why is October ("2022-10") being treated as a date suddenly???? Is this Bug or a Feature? I tried changing the strings to have a leading Zero for the month. eg. "2022-01" They are ALL then treated as Dates. How do I avoid this?   Thanks for your help
Hey all! Hoping you can help. I am currently building a dashboard that will allow users to select a option from a dropdown menu, and then type in a username in order to see all events for that inpu... See more...
Hey all! Hoping you can help. I am currently building a dashboard that will allow users to select a option from a dropdown menu, and then type in a username in order to see all events for that input for that user. I am in a bind however as the dropdown has several hundred options (unfortunately no way to slim that down) and I was wondering if there was a way to quickly and painlessly add the labels and inputs from a spreadsheet I have over into the dropdown, or if I have to go through and copy each of them individually. Any help would be greatly appreciated!
I am trying to get a json formated file into splunk. The file is being forwarded from a UF with monitor, it contains data from aircrafts (ADS-B Data). This is a sample: { "now" : 1667769466.071, "... See more...
I am trying to get a json formated file into splunk. The file is being forwarded from a UF with monitor, it contains data from aircrafts (ADS-B Data). This is a sample: { "now" : 1667769466.071, "messages" : 58728034, "aircraft" : [ {"hex":"8963e3","type":"adsb_icao","flight":"UAE3KE ","r":"A6-EPT","t":"B77W","alt_baro":35000,"alt_geom":34475,"gs":526.3,"ias":281,"tas":486,"mach":0.828,"wd":241,"ws":45,"oat":-46,"tat":-15,"track":91.85,"roll":-0.35,"mag_heading":93.69,"true_heading":94.78,"baro_rate":0,"geom_rate":0,"squawk":"7313","emergency":"none","category":"A5","nav_qnh":1013.0,"nav_altitude_mcp":35008,"nav_heading":94.92,"lat":52.301067,"lon":1.596706,"nic":8,"rc":186,"seen_pos":0.864,"r_dst":186.487,"r_dir":295.3,"version":2,"nic_baro":1,"nac_p":9,"nac_v":1,"sil":3,"sil_type":"perhour","gva":2,"sda":2,"alert":0,"spi":0,"mlat":[],"tisb":[],"messages":24165,"seen":0.9,"rssi":-25.1}, {"hex":"47a531","type":"adsb_icao","flight":"NOZ7YW ","r":"LN-NGS","t":"B738","alt_baro":33000,"alt_geom":32400,"gs":468.2,"ias":258,"tas":430,"mach":0.732,"wd":221,"ws":41,"oat":-46,"tat":-22,"track":37.19,"track_rate":-0.22,"roll":-5.45,"mag_heading":35.86,"true_heading":36.99,"baro_rate":0,"geom_rate":0,"squawk":"1410","category":"A3","nav_qnh":1013.6,"nav_altitude_mcp":32992,"nav_altitude_fms":33008,"nav_heading":35.16,"lat":52.396033,"lon":1.734820,"nic":8,"rc":186,"seen_pos":10.505,"r_dst":184.026,"r_dir":297.5,"version":2,"nic_baro":1,"nac_p":9,"nac_v":1,"sil":3,"sil_type":"perhour","gva":2,"sda":2,"alert":0,"spi":0,"mlat":[],"tisb":[],"messages":8664,"seen":6.8,"rssi":-30.0}, {"hex":"484b91","type":"adsb_icao","flight":"KLM1293 ","r":"PH-BGK","t":"B737","alt_baro":40000,"alt_geom":39400,"gs":457.5,"ias":241,"tas":466,"mach":0.796,"wd":229,"ws":32,"oat":-47,"tat":-19,"track":304.94,"track_rate":-0.03,"roll":-0.18,"mag_heading":300.06,"true_heading":301.14,"baro_rate":32,"geom_rate":-64,"squawk":"6260","category":"A0","nav_qnh":1013.2,"nav_altitude_mcp":40000,"lat":53.694841,"lon":1.827527,"nic":8,"rc":186,"seen_pos":4.051,"r_dst":224.752,"r_dir":316.3,"version":0,"nac_p":8,"nac_v":0,"sil":2,"sil_type":"unknown","alert":0,"spi":0,"mlat":[],"tisb":[],"messages":4336025,"seen":2.2,"rssi":-30.0}, {"hex":"406754","type":"adsb_icao","flight":"EZY36HD ","r":"G-EZWC","t":"A320","alt_baro":38000,"alt_geom":37900,"gs":420.8,"track":320.79,"baro_rate":-256,"squawk":"5730","category":"A3","lat":49.963852,"lon":1.830091,"nic":8,"rc":186,"seen_pos":49.821,"r_dst":179.161,"r_dir":250.1,"version":2,"nac_v":1,"sil_type":"perhour","alert":0,"spi":0,"mlat":[],"tisb":[],"messages":122526,"seen":31.2,"rssi":-27.9}, {"hex":"400f99","type":"mode_s","r":"G-DBCJ","t":"A319","alt_baro":23000,"alt_geom":22625,"gs":475.2,"track":69.81,"baro_rate":0,"nac_v":1,"alert":0,"spi":0,"mlat":[],"tisb":[],"messages":11,"seen":2.3,"rssi":-31.1} ] }   How can I get every line (starting with "hex") in a seperate event and all fields extracted? Idealy the timestamp of every event is the one from the header line 1 named "now".
Hello,   Can anyone help me out with the problem of client connected to deployment server but unable to send logs of any kind. No internal logs and no monitored logs are being received at indexer... See more...
Hello,   Can anyone help me out with the problem of client connected to deployment server but unable to send logs of any kind. No internal logs and no monitored logs are being received at indexer even though phone home is happening and apps being deployed at the client.   Thank you.  
Hello, I am very new to Splunk. I am wondering how to split these two values into separate rows. The "API_Name" values are grouped but I need them separated by date. Any assistance is appreciated! ... See more...
Hello, I am very new to Splunk. I am wondering how to split these two values into separate rows. The "API_Name" values are grouped but I need them separated by date. Any assistance is appreciated! SPL:     index=... | fields source, timestamp, a_timestamp, transaction_id, a_session_id, a_api_name, api_name, API_ID | convert timeformat="%Y-%m-%d" ctime(_time) AS date | eval sessionID=coalesce(a_session_id, transaction_id) | stats values(date) as date dc(source) as cnt values(timestamp) as start_time values(a_timestamp) as end_time values(api_name) as API_Name by sessionID | where cnt>1 | eval start=strptime(start_time, "%F %T.%Q") | eval end=strptime(end_time, "%FT%T.%Q") | eval duration(ms)=abs((end-start)*1000) | stats count, perc95(duration(ms)) as 95thPercentileRespTime(ms) values(API_Name) as API_Name by date