All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

We are upgrading OS version to rhel 8.6 on splunk server. Would want to know what is the checklist in respect of splunk installed apps? And how check compatibility with splunk apps ?   
Hi, In splunk cloud Es SH there is a data durability error with unhealthy instances, shows the status search factor is not met. Thanks.
NONPROD:abcd123456_DBSERVER Need to extract abcd123456 from the string...
Hi , I am forwarding logs from UF -----> HF -----------> Indexer------->Search Head i am forwarding Windows Event Logs on index = os_windows  from UF to Heavyforwarder and then to indexer Do i ... See more...
Hi , I am forwarding logs from UF -----> HF -----------> Indexer------->Search Head i am forwarding Windows Event Logs on index = os_windows  from UF to Heavyforwarder and then to indexer Do i need to create index =os_windows on Heavy forwarder . If the answer is No - i wanted to check the logs on HF if the logs are sent from UF to HF. How do i need to search. Please let me Know. Thanks   
Hello Team,   My workplace bought Splunk a year ago, and I am self-learning myself with limited access to my office Splunk the tutorial I am learning provides instruction on how to install free Spl... See more...
Hello Team,   My workplace bought Splunk a year ago, and I am self-learning myself with limited access to my office Splunk the tutorial I am learning provides instruction on how to install free Splunk on my home computer, so I installed it today I got the following error within half an hour, how do I exceed the license within 30 minutes I thought the free license is for 60 days. I do see a lot of posts on the same topic sorry for the duplicate post, can someone tell me how to troubleshoot? Do I have to uninstall and reinstall again? ---------------------- Error in 'litsearch' command: Your Splunk license expired or you have exceeded your license limit too many times. Renew your Splunk license by visiting www.splunk.com/store or calling 866.GET.SPLUNK.   The search job has failed due to an error. You may be able view the job in the Job Inspector.  
Observed a peculiar case where UF in a syslog is not reading the complete log file . If for example there exists a pan log for 4th Nov with logs available for every hour in that log file . UF seems t... See more...
Observed a peculiar case where UF in a syslog is not reading the complete log file . If for example there exists a pan log for 4th Nov with logs available for every hour in that log file . UF seems to read only the first 4 hours and then stops ingesting to the cloud .The next day when new file log ie 5th Nov file is created it again starts to read that log file for couple of hours and then stops . Points to be noted : There is only one log file (2022-11-05.log)  which keeps updating as logs get pushed to the syslog from the network host . Size of the log for one day is around 500 GB plus No CRC is used in the input setting . Can you let me know what is causing the UF to stop reading the complete log file
Hi All, I am trying to install Splunk on RedHat Linux on my personal VM. I am facing issues. Kindly help. Regards Suman P.
I am trying configure Universal Forwarder to output to an HTTP Event Collector endpoint in Cribl. This Cribl endpoint has been configured for me and the admin has disabled the use of an authenticatio... See more...
I am trying configure Universal Forwarder to output to an HTTP Event Collector endpoint in Cribl. This Cribl endpoint has been configured for me and the admin has disabled the use of an authentication token. If I try to leave the httpEventCollectorToken field out or empty, I get messages like this in splunkd.log: S2S - Authtoken is empty/size invalid, token: TcpOutputProc  - _isHttpOutConfigured=NOT_CONFIGURED TcpOutputProc - LightWeightForwarder/UniversalForwarder not configured. Please configure outputs.conf. This seems to imply Universal Forwarder will not allow me to omit the token. If I try to send data to the endpoint using curl to manually generate an HTTP POST request, it all works. Can anyone shed light on this? thanks, Rob
I have query that  returns successful logins and a profile ID.   Then from the result of those I want to create another search for each result that shows the email address of the the profile ID.  ... See more...
I have query that  returns successful logins and a profile ID.   Then from the result of those I want to create another search for each result that shows the email address of the the profile ID.   First query is  index=commerce loginSuccessful=true | stats count by profile   Then I would want to do the following.   For each "profile" index=commerce "profile email!="<null>" email!=null | table profile email   
How can I find an exact string which has double code in it. I want to find exact string HTTP/1.1" 500
I have a search that writes to a lookup table.  I would like to run this search once a month and update (overwrite) the lookup table.  I see that I can schedule reports, dashboards, and alerts.  Is i... See more...
I have a search that writes to a lookup table.  I would like to run this search once a month and update (overwrite) the lookup table.  I see that I can schedule reports, dashboards, and alerts.  Is it possible to do it with a search that writes to a lookup table file?
Hi team. I'm looking for a query/solution that will alert me when a log source is no longer sending logs. For example, I have an index called "linux_prod" which is populated when linux hosts fortheir... See more...
Hi team. I'm looking for a query/solution that will alert me when a log source is no longer sending logs. For example, I have an index called "linux_prod" which is populated when linux hosts fortheir events. I would like to receive an alert when this index stops receiving events for the past 1 hour.  This happens when SC4S or some other issue on the network have problems.  Thank you.
Anyone have a search that will return the indexed events per second across the entire indexer cluster?
The following is my ideal final query to be used in a dashboard.     index=cdn_app httpMessage.host=taxes* | eval _env=$env_host$ | eval _hostName=case(_env=="http:abc-h123-apps-prod","taxes.s... See more...
The following is my ideal final query to be used in a dashboard.     index=cdn_app httpMessage.host=taxes* | eval _env=$env_host$ | eval _hostName=case(_env=="http:abc-h123-apps-prod","taxes.sf.com", _env=="http:abc-h123-apps-qa", "taxes-qa.sf.com") | search httpMessage.host=_hostName | spath output=status path=httpMessage.status | eval status=case(like(status, "2%"),"2xx",like(status, "4%"),"4xx",like(status, "5%"),"5xx") | stats count by status   It seems `_hostName` is not resolving even when I hardcode and values like so.     index=cdn_app httpMessage.host=taxes* | eval _env="taxes.sf.com" | eval _hostName=case(_env=="http:abc-h123-apps-prod","taxes.sf.com", _env=="http:abc-h123-apps-qa", "taxes-qa.sf.com") | search httpMessage.host=_hostName | stats count by httpMessage.host   I'm sure its with my eval case because this works just fine.     index=cdn_app httpMessage.host=taxes* | search httpMessage.host="taxes.sf.com" | stats count by httpMessage.host   Open to any suggestions. Thanks!    
I'm looking for a search I can run that will return the ingest rate (KB/s) across the entire cluster.  I know there's a "Deployment-Wide Total Indexing Rate" panel in the DMC dashboard "Indexing Perf... See more...
I'm looking for a search I can run that will return the ingest rate (KB/s) across the entire cluster.  I know there's a "Deployment-Wide Total Indexing Rate" panel in the DMC dashboard "Indexing Performance: Deployment" that contains this data but I need to recreate this on the cluster itself to push to a summary index for retention and quick export.  Also, if there's a similar search that will return events/s, I'm looking for that as well.
Hi,   I have dashboard with multiple panels. Some of them I succeeded to only show them when there is a result. Now I would like this also for some single value vis.  The single value displays ... See more...
Hi,   I have dashboard with multiple panels. Some of them I succeeded to only show them when there is a result. Now I would like this also for some single value vis.  The single value displays '0' when no result. But still is showing in the dashboard. How can I fix this?     </panel>     <panel depends="$panel_show4$">       <title>Test_Panel_4</title>       <single>         <search>           <progress>             <condition match="'job.resultCount' &gt; 0">               <set token="panel_show4">true</set>             </condition>             <condition>               <unset token="panel_show4"></unset>             </condition>           </progress>
Hi, Can anyone help me with a video or documentation where it shows onboarding the data via server and not from UI. Regards Suman P.
Anyone have any ideas on who created this application.  The app files seem to point to Splunk, however support is unable to investigate as it is listed on splunkbase as "Community" (though it says S... See more...
Anyone have any ideas on who created this application.  The app files seem to point to Splunk, however support is unable to investigate as it is listed on splunkbase as "Community" (though it says Splunk SOAR MobileIron Copyright Splunk Inc.) which is leaving me confused and unsure where else to get answers.   https://github.com/splunk-soar-connectors/mobileiron/blob/next/NOTICE Splunk SOAR MobileIron Copyright (c) 2016-2022 Splunk Inc.   Third-party Software Attributions:   Library: beautifulsoup4 Version: 4.9.1 License: MIT Copyright 2004-2017 Leonard Richardson Copyright 2004-2019 Leonard Richardson Copyright 2018 Isaac Muse   Library: requests Version: 2.25.0 License: Apache 2.0 Kenneth Reitz
Hello, I've following 4 gauges in a panel and I want to change the color only for "Category:4" gauge based on the below values/threshold of "Category:4" gauge. Range            Color 0-79       ... See more...
Hello, I've following 4 gauges in a panel and I want to change the color only for "Category:4" gauge based on the below values/threshold of "Category:4" gauge. Range            Color 0-79               Red 80-99            Yellow 100                Green Note: I don't want to change the color of gauges "Category:1", "Category:2","Category:3" (These gauges have different condition/threshold for color) Thanks for your help in advance. @ITWhisperer @gcusello 
I have a table with 1 column and 6 rows which I'll be changing to 1 row and 6 columns using transpose and eventually hide the header using CSS, such that I only have a row of 6 different values, say ... See more...
I have a table with 1 column and 6 rows which I'll be changing to 1 row and 6 columns using transpose and eventually hide the header using CSS, such that I only have a row of 6 different values, say - A, B, C, D, E, F. I want to display details related to each of those 6 values based on what value is clicked. The query for each of those 6 values are different and hence I have placed them in separate tables, something like - TableA, TableB,...,TableF.  I have come across <condition/> option but I'm not able to make out how I can use that in this scenario. Any leads in achieving this will be of great help.