All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

After fresh install of Splunk 9.0.1, splunk cli commands (example 'add oneshot') report the following warning message: WARNING: Server Certificate Hostname Validation is disabled. Please see server.... See more...
After fresh install of Splunk 9.0.1, splunk cli commands (example 'add oneshot') report the following warning message: WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. This warning was not seen on prior releases of Splunk (8.2.x). Also, this warning message did show up on 'splunk start'  after the fresh install. Looks like this warning message is bug in 9.0.x for a fresh install/start of Splunk
I am currently attempting to build in a new command. This command includes code from the msgspec python package. Within the package is a C library which is referenced as a module by the other functio... See more...
I am currently attempting to build in a new command. This command includes code from the msgspec python package. Within the package is a C library which is referenced as a module by the other functions of the package. Testing on my Splunk Ubuntu server and base python3 versions 3.6, 3.7, 3.8, 3.9, and 3.10, this package works without issue. When I attempt to run the same package reference from a python script called via the splunk command line, I receive an error. Given I can successfully run a test script from the same <app>/bin directory as my splunk commands using the same modules, is there anything in Splunk's use of the python interpreter that would prevent Splunk from using Python's built-in C-extension library? Error code example: _core  --> reference: https://github.com/jcrist/msgspec/blob/main/msgspec/_core.c Successfully created new dispatch directory for search job. sid=b762c107adc97090_tmp dispatch_dir=/opt/splunk/var/run/splunk/dispatch/b762c107adc97090_tmp 10-31-2022 13:33:02.556 INFO ChunkedExternProcessor [782335 searchOrchestrator] - Running process: /opt/splunk/bin/python3.7 /opt/splunk/etc/apps/<app>/bin/<base_script>.py 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: Traceback (most recent call last): 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: File "/opt/splunk/etc/apps/<app>/bin/<base_script>.py", line 14, in <module> 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: from <parse_script> import <parse_function> as <function> 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: File "/opt/splunk/etc/apps/<app>/bin/lib/<parse_script>.py", line 3, in <module> 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: from msgspec.json import encode, decode 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: File "/opt/splunk/etc/apps/<app>/bin/lib/msgspec/__init__.py", line 1, in <module> 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: from ._core import ( 10-31-2022 13:33:02.674 ERROR ChunkedExternProcessor [782340 ChunkedExternProcessorStderrLogger] - stderr: ModuleNotFoundError: No module named 'msgspec._core' 10-31-2022 13:33:02.685 ERROR ChunkedExternProcessor [782335 searchOrchestrator] - EOF while attempting to read transport header read_size=0 10-31-2022 13:33:02.708 ERROR ChunkedExternProcessor [782335 searchOrchestrator] - Error in '<command>' command: External search command exited unexpectedly with non-zero error code 1.  
Hi, I am new to Splunk. Can you please let me know where I can find documentation/user manuals about using Splunk to manage Assets? My splunk access at my workplace has a "splunk List Viewer" and "... See more...
Hi, I am new to Splunk. Can you please let me know where I can find documentation/user manuals about using Splunk to manage Assets? My splunk access at my workplace has a "splunk List Viewer" and "Asset Information" page. I would like to learn how to setup each fields and learn how to update my assets. Thank you! -tom
I want x-axis value to have different static color. how do I customize? 
 Hi! I have a tgz-file with Splunk add-on developed by my coworkers. I created a trial instance of Splunk Cloud and would like to install (upload) this add-on from the file with the intention to... See more...
 Hi! I have a tgz-file with Splunk add-on developed by my coworkers. I created a trial instance of Splunk Cloud and would like to install (upload) this add-on from the file with the intention to make some modifications for my POC. Unfortunately, I can't locate a place to install or upload a new add-on (see the screenshot in attachment). Please help me find it. 
Hi folks, I want to monitor a cloud watch metrics of single ec2 instance. How to just monitor metrics in a single instance? I tried Splunk AWS add on but I couldn't  configure my aws account. ... See more...
Hi folks, I want to monitor a cloud watch metrics of single ec2 instance. How to just monitor metrics in a single instance? I tried Splunk AWS add on but I couldn't  configure my aws account. The problem is that while using data manager it is giving the results of all the running instance data, but I need to just monitor a single instance. Thanks in advance,
HI, Currently I am using splunk version of Version:8.1.2. And i would like to know the openssl version which is used in splunk version. So i ran 2 commands to know the openssl version but i am gett... See more...
HI, Currently I am using splunk version of Version:8.1.2. And i would like to know the openssl version which is used in splunk version. So i ran 2 commands to know the openssl version but i am getting 2 different results from that commands. so which one do i need to consider??? 1. splunk@splunkidx$ ./splunk/bin/splunk cmd openssl version OpenSSL 1.0.2w-fips 9 Sep 2020 2.splunk@splunkidx$ openssl version OpenSSL 1.1.1k FIPS 25 Mar 2021  
Hi, Can we concatenate a string with a number using eval with '.' operator? I got to know that from a video, but when i do it, I am able to do it. I don't know what is going on. Kindly help. ... See more...
Hi, Can we concatenate a string with a number using eval with '.' operator? I got to know that from a video, but when i do it, I am able to do it. I don't know what is going on. Kindly help. Regards Suman P.
I can control the data sent to the fields.  All fields on the deafult search allow you include/exclude in search results.  I Suppose this is the default "drilldown" options.     I tried http://... See more...
I can control the data sent to the fields.  All fields on the deafult search allow you include/exclude in search results.  I Suppose this is the default "drilldown" options.     I tried http://whatever <link>http://whatever <a href="http://whatever"   The default search won't let you click the link, it just lets you filter on that field, is there an override to this?      
Hello fellow Splunkers,   One of our end users was attempting to investigate a Splunk Alert. When they attempted to access the URL contained in the email. They received a permissions denied error... See more...
Hello fellow Splunkers,   One of our end users was attempting to investigate a Splunk Alert. When they attempted to access the URL contained in the email. They received a permissions denied error. They also received the same alert when manually navigating to the alert under the "Alerts" section and attempt to review the triggered alert. The alert permission are set so anybody can read the alert, but only Power Users and Admins are able to right.   I have reviewed a couple of other Splunk Community post regarding similar permission issues but was unable to locate a solution. Does anyone have an idea what could be causing this?   - Hutch
Worked extensively with Splunk support on this. They believe that the problem is that the app is either fundamentally incompatible with Splunk 9 or the latest Salesforce TA.  Ultimately splunk-app-s... See more...
Worked extensively with Splunk support on this. They believe that the problem is that the app is either fundamentally incompatible with Splunk 9 or the latest Salesforce TA.  Ultimately splunk-app-sfdc is using the collection lookup_sfdc_usernames_kvstore which is not defined in the collections.conf of the app, but in the add-on. It looks like the app is trying to refer to that and is not able to find that lookup.  ERROR KVStoreProvider [29936 SchedulerThread] - Could not create KvStore Lookup failed because collection 'lookup_sfdc_usernames_kvstore' in app 'splunk-app-sfdc' does not exist, or user 'splunk-system-user' does not have read access. Hence my question: Has anyone gotten this to actually work? If so, what is the trick?  Regards. Mike Kirda  
Hello, Can we create either of the breaking criteria for the episodes in Splunk itsi. We do have bidirectional ticketing enabled but if the external ticket is not closed then episode is remained ... See more...
Hello, Can we create either of the breaking criteria for the episodes in Splunk itsi. We do have bidirectional ticketing enabled but if the external ticket is not closed then episode is remained open, so we are need of creating a breaking criteria. Will it impact the bidirectional ticketing if we enable breaking criteria?    
Hey everyone! Has anyone ever experienced jobs running over 100%, sometimes as high as 150%/160% and not completing? It ends up causing the maximum concurrent searches to be reached and makes n... See more...
Hey everyone! Has anyone ever experienced jobs running over 100%, sometimes as high as 150%/160% and not completing? It ends up causing the maximum concurrent searches to be reached and makes new jobs not run.   We currently have about 220 correlation searches running and this had not been an issue before.   Any and all feedback is appreciated!
I don't see any expiration for a HEC token- do they have an expiration date? on Settings > Data Inputs > HTTP Event Collector there is nothing of the sort, nor is the token repeated in any other fash... See more...
I don't see any expiration for a HEC token- do they have an expiration date? on Settings > Data Inputs > HTTP Event Collector there is nothing of the sort, nor is the token repeated in any other fashion to access it in the Settings > token area.
Hi Team, I wanted to wirte query to find the Splunk agent version of specific set of hosts in our environment, I had tired the below link to find out version detail for all UF uisng the below link. ... See more...
Hi Team, I wanted to wirte query to find the Splunk agent version of specific set of hosts in our environment, I had tired the below link to find out version detail for all UF uisng the below link. https://community.splunk.com/t5/Getting-Data-In/How-can-I-find-a-listing-of-all-universal-forwarders-that-I-have/m-p/324298 But I am unable to segregate to specific set of hosts.  So could anyone let me know how to wirte a query to fetch the version details.   Thanks in Advance. 
[Filter: smut] raja_mta's post body matched "anal", board "apps-add-ons-all". Post Subject: Re: ta:ms:loganalytics:log ConnectionError: ('Connection aborted.', error(104, 'Connection reset ... See more...
[Filter: smut] raja_mta's post body matched "anal", board "apps-add-ons-all". Post Subject: Re: ta:ms:loganalytics:log ConnectionError: ('Connection aborted.', error(104, 'Connection reset by peer')) Post Body: 2022-10-31 09:41:14,147 ERROR pid=14783 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events. Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/modinput_wrapper/base_modinput.py", line 127, in stream_events self.collect_events(ew) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/log_analytics.py", line 96, in collect_events input_module.collect_events(self, ew) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/input_module_log_analytics.py", line 72, in collect_events response = requests.post(uri,json=search_params,headers=headers) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/api.py", line 110, in post return request('post', url, data=data, json=json, **kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/api.py", line 56, in request return session.request(method=method, url=url, **kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/sessions.py", line 488, in request resp = self.send(prep, **send_kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/sessions.py", line 609, in send r = adapter.send(request, **kwargs) File "/opt/splunk/etc/apps/TA-ms-loganalytics/bin/ta_ms_loganalytics/requests/adapters.py", line 473, in send raise ConnectionError(err, request=request) ConnectionError: ('Connection aborted.', error(104, 'Connection reset by peer')) Body text "anal" matched filter pattern "anal". Post by User[id=235550,login=raja_mta] was rejected for the following end-user facing error(s): Your post has been changed because invalid HTML was found in the message body. The invalid HTML has been removed. Please review the message and submit the message when you are satisfied.
I use  index= main | lookup test1.csv Severity1 | stats  count by Severity  The lookup table have 5 value ( Veryhigh, high, medium, low, verylow) how do I add this to x axis even If I do not ... See more...
I use  index= main | lookup test1.csv Severity1 | stats  count by Severity  The lookup table have 5 value ( Veryhigh, high, medium, low, verylow) how do I add this to x axis even If I do not have Y axis count for it. I want chart look like   
Hi,  ive got the below query that im using to try and see when correlation searches have been edited: | rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches... See more...
Hi,  ive got the below query that im using to try and see when correlation searches have been edited: | rest splunk_server=local count=0 /servicesNS/-/SplunkEnterpriseSecuritySuite/saved/searches | where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]") | where disabled=0 | eval actions=split(actions, ",") | rename "eai:acl.owner" as "Created By" | rename author as "Updated By" | rename updated as "Update time" | fields title, search, description, "Update time", "Updated By", "Created By" The issue that I'm having here is that no matter what i try, I am unable to narrow this down to the last hour for example and it always returns the last couple of months. Any help on this would be great!
Hello Splunkers, I am facing some errors every time I relaunch my Splunk service on my HF. Inside splunkd.log I have this :   error=Splunkd daemon is not responding: ('Error connecting to https... See more...
Hello Splunkers, I am facing some errors every time I relaunch my Splunk service on my HF. Inside splunkd.log I have this :   error=Splunkd daemon is not responding: ('Error connecting to https://127.0.0.1:8089//services/server/roles: [Errno 111] Connection refused',)   I am sure that spunkd is running on port 8089 and I also checked that my instance's firewall is not blocking this port. Maybe it's just normal to see those errors at Splunk startup ? Thanks for your help, GaetanVP
Tell me, is this message format possible for sending to splunk: curl --location --request POST 'http://170.25.25.25:8088/services/collector/event' --header 'Authorization: Splunk ееееее-еееееееее-е... See more...
Tell me, is this message format possible for sending to splunk: curl --location --request POST 'http://170.25.25.25:8088/services/collector/event' --header 'Authorization: Splunk ееееее-еееееееее-ееееее-e6fc' --header 'Content-Type: text/plain' --data-raw '{ "messageId": "<ED280816-E404-444A-A2D9-FFD2D171F928>", "srcMsgId": "<rwfsdfsfqwe121432gsgsfgdg>", "correlationMsgId": "<rwfsdfsfqwe135432gsgsfgdg>", "baseSystemId": "<SDS-IN>", "routeInstanceId": "<TPKSABS-SMEV>", "routepointID": "<1.SABS-GIS.TO.KBR.SEND>", "eventTime": "<1985-04-12T23:20:50>", "messageType": "<ED123>", "GISGMPResponseID": "<PS000BA780816-E404-444A-A2D9-FFD2D1712345>", "GISGMPRequestID": "<PS000BA780816-E404-444A-A2D9-FFD2D1712344>", "tid": "<ED280816-E404-444A-A2D9-FFD2D171F900>", "PacketGISGMPId": "<7642341379_20220512_123456789>", "result.code": "<400>", "result.desc": "<Ошибка: абвгд>" }' Without fields: "event" and "fields" Using only custom fields?