All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have the following events.I am trying to get all the events between START and END of a job (inclusive).For instance the below job 51060 has 3 events in between...I am trying to a transaction comman... See more...
I have the following events.I am trying to get all the events between START and END of a job (inclusive).For instance the below job 51060 has 3 events in between...I am trying to a transaction command but I dont get the events in between.I only get the start and end event | transaction startswith="START" endswith="END" 2022-10-21T23:26:14.075003-07:00 xyz slurm-epilog: END user=svc job=51060 2022-10-21T20:15:16.914838-07:00 xyz kernel: [52023.042550] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598). 2022-10-21T20:13:46.890841-07:00 xyz kernel: [51933.011964] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598). 2022-10-21T20:12:16.866833-07:00 xyz kernel: [51842.981401] NVRM: Xid (PCI:): 119, pid=16378, name=cache_mgr_main, Timeout waiting for RPC from GSP! Expected function 76 (GSP_RM_CONTROL) (0x20808513 0x598). 2022-10-21T19:17:25.710875-07:00 xyz slurm-prolog: START user=svc job=51060
Hi all I have the following query for a single value visualisation:     | stats count(eval(completedDate < TargetDate)) as completed, count(number) as total | eval percentage = round((complet... See more...
Hi all I have the following query for a single value visualisation:     | stats count(eval(completedDate < TargetDate)) as completed, count(number) as total | eval percentage = round((completed/total)*100, 2)." %"     The visualisation is the percentage. I need to change the colors to red and green based on the value of the percentage. This I managed to do. However, I need to change the color of the value to grey if total<5. Is this possible to do, or not? Thanks in advance.
Please help with regex to extract the first ip(highlighted red) only  2022-10-25T14:30:28.108+00:00 10.3.4.150 syslog-ng 14928 - [meta sequenceId="-2074435768"] Error processing log message: <14>1 ... See more...
Please help with regex to extract the first ip(highlighted red) only  2022-10-25T14:30:28.108+00:00 10.3.4.150 syslog-ng 14928 - [meta sequenceId="-2074435768"] Error processing log message: <14>1 2022-10-26T10:30:28.588005-04:00 RM-SU-SAM - - RemoteLogging>@< { "logVersion": "1.0", "category": "AUDIT", "timeStamp": "2022-10-26T14:29:43.439Z", "id": "K7pTSQoxfV7pvq3bO8PSehvilSt4yZxEiU9oGkasPx8=", "context": { "tenantId": "ZZNXA0OELD-STA", "originatingAddress": "104.205.81.157, 35.227.230.123, 130.211.2.118,172.30.9.68", "principalId": "opatel@mail.com", "sessionId": "c0r52fac-9fc3-42a1-8e48-492b31c72790", "globalAccessId": "10f31a5e-53b4-4bc8-9ec8-13bb6b670592", "applicationType": "SAML", "applicationName": "Splunk", "policyName": "Global Policy for STA" }, "details": { "type": "ACCESS_REQUEST", "state": "Accepted", "action": "auth", "credentials": [ { "type": "otp", "state": "Verified" } ] }
Hi together, I want to group my bar chart in 2 columns. In the pictures you can see how I get it done and how it should look. reached target   host=my_host index=my_index | sta... See more...
Hi together, I want to group my bar chart in 2 columns. In the pictures you can see how I get it done and how it should look. reached target   host=my_host index=my_index | stats count | join [ search host=my_host index=my_index result.value= -1 | stats count | rename count as "Tests_Failed"] | join type=left [ search host=my_host index=my_index result.value= 1 | stats count | rename count as "Tests_Passed"] | join [search host=my_host index=my_index | rename result.value as isFailed | eval isFailed=if(isFailed=-1, 0, 1) | stats sum(isFailed) as testedPositive by Produktionsnummer | stats count(eval(testedPositive!="0")) as io count(eval(testedPositive="0")) as nio] | table Typ-Nummer, Tests_Failed, Tests_Passed, nio, io | rename Typ-Nummer AS "Product Name & Number", Tests_Passed AS "Tests Passed", Tests_Failed AS "Tests Failed", percFailed as "Percentage of Tests Failed"     I want so split it in 2 stacked columns like on the picture (Tests_Failed, Tests_Passed) and (nio, io). Many thanks in advance!
With the Splunk Virus Total app, is a subscription to Virus Total required?
Good Morning, I'm installing php agent 22.8 on oracle linux server with php 7.3 and apache webserver. When I run the install.sh command with -s -i options I am getting the following error. Script is... See more...
Good Morning, I'm installing php agent 22.8 on oracle linux server with php 7.3 and apache webserver. When I run the install.sh command with -s -i options I am getting the following error. Script is finding version, extensions directory, ini directory. Does anyone know what that means or how to fix?  "Agent installation does not contain PHP extension for PHP 7.3" thx, M
Hi there, I have my Splunk Stream installed and configured on SearchHead. All dahsboards provide me with a lot of data, however "database" activity dashoard is empty. I have got an external postgres... See more...
Hi there, I have my Splunk Stream installed and configured on SearchHead. All dahsboards provide me with a lot of data, however "database" activity dashoard is empty. I have got an external postgres database and do not know how to connect to them. Thanks for help. regards, pawelF
Hi, I have the following query:   index = ABC | eval domain=mvindex(split(EMAIL_TXT, "@"), 1) | stats dc(EMAIL_TXT) AS Count_EmailAddress, values(domain) as domain values(EMAIL_TXT) as Email_A... See more...
Hi, I have the following query:   index = ABC | eval domain=mvindex(split(EMAIL_TXT, "@"), 1) | stats dc(EMAIL_TXT) AS Count_EmailAddress, values(domain) as domain values(EMAIL_TXT) as Email_Address, values(STRT_DTS) AS Start_Date by IP_ADDR | where Count_EmailAddress >1 | sort -Count_EmailAddress   I also have a lookup with a list of IPs: |inputlookup HighRiskDomain  How do I create a new field called "HighRiskIP" that would have with "Yes" or "No" values, depending on whether the IP for that given row matches an IP on the lookup?????
hai all, i am checking about list of services down based on a host using below search  index=ivz_unix* Service source="Unix:Service" status=stopped   what was the search query use to check li... See more...
hai all, i am checking about list of services down based on a host using below search  index=ivz_unix* Service source="Unix:Service" status=stopped   what was the search query use to check list of services down for a host based on host name. for example i want to see for a host these services are in stopped state. please help
I have a list of hosts in the lookup table. These values aren't static and gets updated dynamically every three months. Is it possible to update the lookup dynamically in the below mentioned two ways... See more...
I have a list of hosts in the lookup table. These values aren't static and gets updated dynamically every three months. Is it possible to update the lookup dynamically in the below mentioned two ways, without updating the values manually. 1. Old values needs to be replaced by new values 2. New values should be appended to the old values in the table Thanks!
Hi all. I wish to display in a table format the value's count. For example; Computer A has 100 sessions. Computer B has 50 sessions. I want to display the 100 and and the 50 values alongsid... See more...
Hi all. I wish to display in a table format the value's count. For example; Computer A has 100 sessions. Computer B has 50 sessions. I want to display the 100 and and the 50 values alongside "Computer A" and "Computer B".   Thanks!
I found this, but I am unable to replicate it. I am not understanding where I am messing up here. Problem: I feed btool outputs into splunk, and chop them up by stanza.   /opt/splunk/etc/ap... See more...
I found this, but I am unable to replicate it. I am not understanding where I am messing up here. Problem: I feed btool outputs into splunk, and chop them up by stanza.   /opt/splunk/etc/apps/Splunk_TA_windows/default/transforms.conf [xmlsecurity_eventcode_errorcode_action_lookup] /opt/splunk/etc/system/default/transforms.conf CAN_OPTIMIZE = True /opt/splunk/etc/system/default/transforms.conf CLEAN_KEYS = True /opt/splunk/etc/system/default/transforms.conf DEFAULT_VALUE = /opt/splunk/etc/system/default/transforms.conf DEPTH_LIMIT = 1000 /opt/splunk/etc/system/default/transforms.conf DEST_KEY = /opt/splunk/etc/system/default/transforms.conf FORMAT = /opt/splunk/etc/system/default/transforms.conf KEEP_EMPTY_VALS = False /opt/splunk/etc/system/default/transforms.conf LOOKAHEAD = 4096 /opt/splunk/etc/system/default/transforms.conf MATCH_LIMIT = 100000 /opt/splunk/etc/system/default/transforms.conf MV_ADD = False /opt/splunk/etc/system/default/transforms.conf REGEX = /opt/splunk/etc/system/default/transforms.conf SOURCE_KEY = _raw /opt/splunk/etc/system/default/transforms.conf WRITE_META = False /opt/splunk/etc/apps/Splunk_TA_windows/default/transforms.conf case_sensitive_match = false /opt/splunk/etc/apps/Splunk_TA_windows/default/transforms.conf filename = xmlsecurity_eventcode_errorcode_action.csv   I then wanted to extract the fields, for example "SOURCE_KEY = _raw" should be my key/value pair! I hoped to accomplish this with  (transforms)   [dotheparsething] REGEX = \s([\S-]+)\s=\s([^\/\n]+) LOOKAHEAD = 100000 FORMAT = $1::$2 REPEAT_MATCH = true   (props)   [(?::){0}splunk:config:btool:*] TRUNCATE=10000 MAX_EVENTS=10000 KV_MODE = none BREAK_ONLY_BEFORE = conf[\s]+\[ #SEDCMD-removespaces = s/\ +/\ /g REPORT-dotheparsething = dotheparsething    But I am getting nothing! Regex101 seems happy with my search.
It possible if i would like to change color High to Red Medium to Yellow Low to Green   If it possible to change color. Please help to recommend.     Best Regards, CR
Hi everyone, Just installed App for Postgres on my SearchHead and required Add-on for Postgres on db server. Is there any configuration instruction so I can configure the connection? I have been sea... See more...
Hi everyone, Just installed App for Postgres on my SearchHead and required Add-on for Postgres on db server. Is there any configuration instruction so I can configure the connection? I have been searching Internet, YouTube and did not find any docs. thanks for help, pawelF
Hello Team, I have used to ask the same question in my previous ask : https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-compare-two-weeks-errors-and-highlight/m-p/617827#M2147... See more...
Hello Team, I have used to ask the same question in my previous ask : https://community.splunk.com/t5/Splunk-Search/How-to-write-a-search-to-compare-two-weeks-errors-and-highlight/m-p/617827#M214708 I am not having the correct results while using the suggested workaround in SPL. So I have modified my SPL as below. Here my release is for 14 days and I need to compare the events with "Current_release_error" & "Last_release_error". If any new error only present in current release then I want to call out those results. Pease suggest some value workarounds.   index="ABC" source="/abc.log" ("ERROR" OR "EXCEPTION") earliest=-14d latest=now() | rex "Error\s(?<Message>.+)MulesoftAdyenNotification" | rex "fetchSeoContent\(\)\s(?<Exception>.+)" | rex "Error:(?<Error2>.+)" | rex "(?<ErrorM>Error in template script)+" | rex "(?ms)^(?:[^\\|\\n]*\\|){3}(?P<Component>[^\\|]+)" | rex "service=(?<Service>[A-Za-z._]+)" | rex "Sites-(?<Country>[A-Z]{2})" | eval Error_Exception= coalesce(Message,Error2,Exception,ErrorM) | eval Week=case(_time<relative_time(now(),"-14d@d"),"Current_release_error",_time>relative_time(now(),"-28d@d-14d@d"),"Last_release_error") | stats dc(Week) AS Week_count values(Week) AS Week BY Error_Exception | eval Week=if(Week_count=2,"Present in Previous Release",Week) | where Week_count=1    
Hello everyone, I have the below search: index=flexcube [|inputlookup AUTHs.csv | fields + role_id ] [|inputlookup function_ids.csv | rename C_FUNCTION_ID as role_function | fields + role... See more...
Hello everyone, I have the below search: index=flexcube [|inputlookup AUTHs.csv | fields + role_id ] [|inputlookup function_ids.csv | rename C_FUNCTION_ID as role_function | fields + role_function] | rename role_function as function_id | chart latest(control_1) as NEW, latest(control_8) as AUTH over function_id by role_id limit=0 and it returns the following table: function_id              AUTH: A      AUTH: B       AUTH: C      AUTH: D 1 ACDCBIRD                                         0                     1 2 CADAMBLK               1                                                                     0 3 CLDACAUT                1                      0                      0                    0 4 CLDACCNT                0                        1                  1                        1              ...etc. I want to create an alert that catches only when a value changes from blank to 0 or 1, or vice versa. Thanks in advance.
Hi, After I ticked "Enable Indexer acknowledgement" in "HTTP Event Collection" -> "Auto Generated ITSI Event Management Token", I no longer have notable events generated. And I saw  "Data channel is... See more...
Hi, After I ticked "Enable Indexer acknowledgement" in "HTTP Event Collection" -> "Auto Generated ITSI Event Management Token", I no longer have notable events generated. And I saw  "Data channel is missing" errors in _internal index.   After some research, I understood from https://docs.splunk.com/Documentation/Splunk/8.2.7/Data/AboutHECIDXAck that HEC sender must include a channel identifier. But how do I configure ITSI so that it include channel identifier when it is generating notable events? Thank you very much.  
Hi, Log format is JSON I have a Field named Organization Now when Organization = "Systèmes" , this will have the following consequences -- When doing a search with Organization = "Systèmes"... See more...
Hi, Log format is JSON I have a Field named Organization Now when Organization = "Systèmes" , this will have the following consequences -- When doing a search with Organization = "Systèmes" (and doing e.g. a table output), I get no results When doing a search with Organization = Syst* (and doing e.g. a table output), I get results -- I am wondering why Splunk would not recognize this è in the search ... I read different topics where CHARSET in props.conf file was suggested, but should Splunk not recognize this è by default? And what would be the solution to get this recognized by Splunk by Default? Thanks in advance! Edwin    
Hi Everyone, I have below query by which i am extracting manager name,email etc. by applying join on managerno to all employee records since manager will also be a part of it.This query is taking 1... See more...
Hi Everyone, I have below query by which i am extracting manager name,email etc. by applying join on managerno to all employee records since manager will also be a part of it.This query is taking 120 sec to execute but i need to minimize and keep it under 20 seconds.Any help will be appreciated.   index="myid_transac_idx" sourcetype="myID_Identity" earliest=-1d@d latest=now() |fields employeeno display_name loginid email status managerno Termination_process_date |where status="Terminated" and Termination_process_date > "2022-10-01 00:00:00.00" |join type=LEFT managerno [ search index="myid_transac_idx" sourcetype="myID_Identity" earliest=-1d@d latest=now() |fields employeeno display_name loginid email status |rename employeeno as managerno |rename display_name as manager_name |rename loginid as managerloginid |rename email as manageremail |rename status as managerstatus]|fields employeeno display_name loginid email status managerno manager_name managerloginid manageremail managerstatus | table employeeno display_name loginid email status managerno manager_name managerloginid manageremail managerstatus  
I am trying to create a search which looks for an EventCode 4624 followed by another EventCode 4625 from same user, if someone could assist that would be fantastic. Having a read into Multisearch, jo... See more...
I am trying to create a search which looks for an EventCode 4624 followed by another EventCode 4625 from same user, if someone could assist that would be fantastic. Having a read into Multisearch, join etc. Attempted transaction but appears to be slow index=dirsvcs_seceventlogs source="wineventlog:security" EventCode=4625 [ search source="wineventlog:security" EventCode=4624 | table cs_username EventCode] | stats count, distinct_count(cs_username), values(cs_username) by EventCode