All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Hello Everyone, Recently I got to know about a feature in AppDynamics where we can trigger scripts on a HR violation. I am really excited to use this functionality for our project. I am looking for... See more...
Hello Everyone, Recently I got to know about a feature in AppDynamics where we can trigger scripts on a HR violation. I am really excited to use this functionality for our project. I am looking for some real time use cases where this has been implemented and has resolved a great problem. 1. Currently I have written a script where I will be restarting an application when ever it goes down (App Availability HR get violated). This has been working successfully. 2. I have also written a script to purge the old logs when disk space utilization goes above certain threshold. This works fine as well. I am looking for some other use cases where this has been used or can be used. It would be really great if I can get suggestions and ideas on this. Thank You, Saad.
  Hello, I have the following type of event, and I would like to extract the `tags` field into its respective fields.    2022-10-17 06:50:00.997, root_device_name="/dev/sda1", root_device_type=... See more...
  Hello, I have the following type of event, and I would like to extract the `tags` field into its respective fields.    2022-10-17 06:50:00.997, root_device_name="/dev/sda1", root_device_type="ebs", state_name="running", subnet_id="subnet-REDACTED", tags="{"App": "myapp", "Name": "myserver", "Owner": "myteam", "Scope": "myscope", "AWSBackup": "True", "Environment": "myenv", "Compliance requirement": "N/A"}", virtualization_type="hvm", vpc_id="vpc-REDACTED"   I have tried the following which did not work for me:    index=myindex sourcetype=mysourcetype earliest=@d i-REDACTED source=awsec2instances | spath input=tags   How do I extract these JSON fields from an event like this? 
Hello Team, I'm new to splunk, trying to get some insight/help for the below issue I'm trying to read data from 2 different indexes and create a consolidated table. The scenarios here is the field ... See more...
Hello Team, I'm new to splunk, trying to get some insight/help for the below issue I'm trying to read data from 2 different indexes and create a consolidated table. The scenarios here is the field values are same but the field names are different.  index="itsi_grouped_alerts" source="ABC" sourcetype=itsi_notable:group | where itsi_group_id="8a84c088-ba86-4d0a" index="itsi_notable_audit" source="Notable Event Audit" sourcetype=itsi_notable:audit event_id="8a84c088-ba86-4d0a" When i try to use a join command, doesn't gives any error. Appreciate your assistance
I have a query in a panel, that is being outputted in a table. Can I adjust the width of one of the columns, shrinking it, so that text is then wrapped across multiple lines?
Soo I have been able to setup and create the different monitors for my universal forwarder. Im working in a test environment so I dont need ssl, however I am attempting to monitor change to a ubuntu ... See more...
Soo I have been able to setup and create the different monitors for my universal forwarder. Im working in a test environment so I dont need ssl, however I am attempting to monitor change to a ubuntu 16.04 via the universal forwarder. the data is pretty sparse, i initially thought it was because there is no user interaction.  Now I get some logs but i also get a 500 internal web error . any idea on the cause of this ? and why am I not getting the logs from tmp or user access logs ?   
I'm asking this question because the only solutions I find for this problem are with the XML config file, while I only have access the JSON source code. I've looked at the recent Splunk documentation... See more...
I'm asking this question because the only solutions I find for this problem are with the XML config file, while I only have access the JSON source code. I've looked at the recent Splunk documentation and there doesn't seem to exist a depends field for the visualisation configuration in the JSON source file. I'm trying to achieve the hiding of a specific panel if a dropdown choice isn't selected. Any help would be appreciated. Thanks.
Hi, Utter Noob here - I apologise for any really silly questions! I'm installing Universal Forwarder to several machines which will forward data to a further intermediate instance, and then on to... See more...
Hi, Utter Noob here - I apologise for any really silly questions! I'm installing Universal Forwarder to several machines which will forward data to a further intermediate instance, and then on to Enterprise. My question is around the User Account that UF wants when I'm installing it.  does this have to be a local service account or can it be a Domain User account?  I'm asking as when I on a domain joined machine, I have created a SplunkAdmin local user, but when I go to the Local Security  Policy > Local Policies>User Rights Assignment > Log in as a service to add the local account the account is not shown, just the Domain accounts and groups. Does this mean I need to create a Splunk account at the domain (AD) level and use it on all machines where I am installing Splunk Universal Forwarder?  Thanks any and all help!
Hello Hi, For evengen, Can I place the sample file in a separate directory under samples directory:   e,g: /opt/splunk/etc/apps/SA-Eventgen/samples/my-samples/test1-sample.csv   If  I can p... See more...
Hello Hi, For evengen, Can I place the sample file in a separate directory under samples directory:   e,g: /opt/splunk/etc/apps/SA-Eventgen/samples/my-samples/test1-sample.csv   If  I can place the sample file like above, where can I specify the location of the test1-sample.csv  in eventgen.conf?   Thank you in advance for your help
Hello all, I am trying to upgrade my Splunk Enterprise from 8.2.0 to 9.0.0 and I keep running into this error when the installer is done copying new files and does a 'rollback action'. "setup canno... See more...
Hello all, I am trying to upgrade my Splunk Enterprise from 8.2.0 to 9.0.0 and I keep running into this error when the installer is done copying new files and does a 'rollback action'. "setup cannot copy the file splknetdrv.sys ensure that the location specified below is correct or change it and insert splunk network monitor kernel driver in the drive you specify" The file is in the correct location but when I hit retry it asks again. I finally just cancel and it asks "continue setup without copying file?" which I say yes. It then asks me the other two system files "SplunkMonitorNoHandleDrv.sys and splunkdrv.sys". Which brings the same error and says installation failed.   I ran as admin and also through powershell. I looked through my logs also and did not see any problems.
Hi  Hope you are doing good.. I want to build one query where I will get user with associate event code or IP for example  If I use stats count by user, event code I will get  User event co... See more...
Hi  Hope you are doing good.. I want to build one query where I will get user with associate event code or IP for example  If I use stats count by user, event code I will get  User event code  Abc  1 Abc  2   But I want output like  User event code  Abc  1, 2  I.e. User name should not get repeat for different event code    Can you please guide me here    Thanks 
I need a way to stop users with access to a Studio dashboard from being able to clone it. From this they are able to edit this new dashboard, giving these particular user too much access. These use... See more...
I need a way to stop users with access to a Studio dashboard from being able to clone it. From this they are able to edit this new dashboard, giving these particular user too much access. These users having a minimal amount of role capabilities, Search and List all objects. So I'm unable to give them any less capabilities. (not that any seem to relate to this.) Any help or ideas would be greatly appreciated. Thanks
Hi All- What would you say is the recommended method for handling CSV files?  Ingesting it into an index or using it as a lookup table?  TLDR - Server team keeps server master list as CSV.  Wan... See more...
Hi All- What would you say is the recommended method for handling CSV files?  Ingesting it into an index or using it as a lookup table?  TLDR - Server team keeps server master list as CSV.  Want to bring it into Splunk as the reference (baseline) which all other tools report against (AD, CS, R7 etc).  Should I ingest that CSV into an index or keep it a csv and use it as a lookup table?   Thanks in Advance!
I'm using a distributed Splunk Enterprise environment with over 15 peers at the Indexer Tier.  I have some JSON data in a small file less than 500KB and I'm confident that the JSON is parsed correctl... See more...
I'm using a distributed Splunk Enterprise environment with over 15 peers at the Indexer Tier.  I have some JSON data in a small file less than 500KB and I'm confident that the JSON is parsed correctly and this has been verified in Python with a simple check script. issued command: ./splunk add oneshot "/tmp/<file.json>" -sourcetype xxxx:xxxx -index <index> The command completes and the data is ingested. However, it has parsed as an event per line and not as JSON. Obviously in props.conf the default is not set for 'KV_MODE = json'. There is no option in the CLI when using oneshot to set as JSON. Any thoughts or guidance please. I am a certified Splunk PS consultant but everyday brings something new for all of us right.
Im trying to blacklist the below eventcodes since we dont have any use for them but somehow it is not working . I made the below change and delpoyed it to all UF via DS . Any idea why it is not worki... See more...
Im trying to blacklist the below eventcodes since we dont have any use for them but somehow it is not working . I made the below change and delpoyed it to all UF via DS . Any idea why it is not working ?    [WinEventLog://Security] disabled = 0 evt_resolve_ad_obj = 1 checkpointInterval = 5 blacklist = 1003,501,510,7036,1066,17137,8003,403,404,410,900-902,4690,4099 index = winlog renderXml=false
Hello Splunk Community, I am trying to add the following command to the props.conf file to make the following search permanent:   I am still very new to the Splunk world and therefore I have... See more...
Hello Splunk Community, I am trying to add the following command to the props.conf file to make the following search permanent:   I am still very new to the Splunk world and therefore I have no experience with the props.conf file. I made a copy of the props.conf file in the folder /opt/splunk/etc/system/local and put the command in there (See below).   However, when starting Splunk now  the following message appears:   I suspect I phrased the command wrong or wrote it into the wrong section in props.conf. Also, it would be interesting to know if the part of the command that brings the events in table form can also be written into the props.conf file and if so into which section of the file? Many thanks and greetings
why it's showing blank lines in logs. What is the reason callsock is sending blank lines https://drive.google.com/file/d/19XH55gFxpuIwZbklD8Lgf4tIVSY3DKbn/view?usp=sharing
Hey All,  I have the 3 types of events coming from the same source(see below) with different codes such as TS01, US03 and VS05 respectively,  1) ABC:0|Application|ABCD|I2.0|TS01|Logging Change|Medi... See more...
Hey All,  I have the 3 types of events coming from the same source(see below) with different codes such as TS01, US03 and VS05 respectively,  1) ABC:0|Application|ABCD|I2.0|TS01|Logging Change|Medium| eventId=4xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com.......  2) ABC:0|Application|ABCD|I2.0|US03|Logging Update|Medium| eventId=5xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com 3) ABC:0|Application|ABCD|I2.0|VS05|Logging Revert|Medium| eventId=6xxxx msg=The value ..... src_user=xyz, shost=abc.ad.com So, in the event(1) I want to rename the src_user as dest_user and shost as dhost without the same fields in the other 2 types of events.  In the "Props.conf" I can add below,  FIELDALIAS-src_host = src_host AS dest_host FIELDALIAS-shost = shost AS dhost but the issue is that if I use the above in props.conf the changes will get applied across all the event codes, so, my question is if there is a way to achieve this for only the specific code lets say, "TS01".  Any help on this will be much appreciated.  Thanks.   
How do i replace the Hyphen with dot. For example i have a field call IP and the value are 10-20-11-120 but i want to convert this to 10.20.11.120. I have tried the | rex mode=sed but it's only r... See more...
How do i replace the Hyphen with dot. For example i have a field call IP and the value are 10-20-11-120 but i want to convert this to 10.20.11.120. I have tried the | rex mode=sed but it's only replacing the first hyphen with dot. Please refer to my below SPL SPL | makeresults | eval IP="10-20-11-120" | rex mode=sed field=IP "s/-/./"
Hi there, Kindly help me on  Search to trigger an alert by scan the logs for scheduled job and check elapsed time (threshold time) for each job execution instance If the elapsed time exceeds the s... See more...
Hi there, Kindly help me on  Search to trigger an alert by scan the logs for scheduled job and check elapsed time (threshold time) for each job execution instance If the elapsed time exceeds the specified threshold for ALL the three executions. Thanks in Advance, Regards, Theja
Hello, I need your help to find a way to achieve the following use case: in main search: I've to categories: Windows and NIX. both the categories have ip and hostname fields. category       ... See more...
Hello, I need your help to find a way to achieve the following use case: in main search: I've to categories: Windows and NIX. both the categories have ip and hostname fields. category             ip                         hostname windows         x.x.x.x                    a nix                     y.y.y.y                      b Now my requirement is to join the above result set with another result set based on the following business rules: - for windows, I want to join based on the hostname only. - for nix, I want to join  based on both ip and hostname. Thanks in advance for the help.