All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I have a field with data like this: loggingObject.methodName="WXYX.MNOController.myMethodName". loggingObject.methodName="DEF.GHI.TUVController.myMethodName2"   I want to extract just the myM... See more...
I have a field with data like this: loggingObject.methodName="WXYX.MNOController.myMethodName". loggingObject.methodName="DEF.GHI.TUVController.myMethodName2"   I want to extract just the myMethodName part.  If the dot before it is there, that is fine. I tried using the reg ex field extractor, this is what it came up with: ^(?:[^\.\n]*\.){9}(?P<methodName>\w+) But it seems like it's creating a name for the extracted field, "methodName". I then tried to use it my query like this:   | regex methodName="^(?:[^\.\n]*\.){9}(?P<methodName>\w+)"   But it doesn't work.  There also isn't anything in that line that tells it to extract from the loggingObject.methodName field specifically. How can I extract what I'm trying to extract?
Hi,  I am trying to show successful validations and failures in one of the dashboard panels. I am logging exceptions in traceData.exception field. In this field there is exception with full stacktr... See more...
Hi,  I am trying to show successful validations and failures in one of the dashboard panels. I am logging exceptions in traceData.exception field. In this field there is exception with full stacktrace , but would like to display just exception name so need to extract just first line of exception. My query looks like index=xxx sourcetype="xxx" app=xxx event.data.request.uri="/xxx" | rename event.data.response.statusCode as statusCode | rename event.traceData.exception as exception | rex field=exception "(?<exception>.*)" | eval result = if(statusCode=201,"Valid", 'exception') | timechart span=1h count by result​ the issue is it displays "Valid" calls, but for exceptions it just displays one exception, and the other one is NULL.    _time Valid Token invalid  NULL 2022-10-13 08:00 1 1 1   Both exceptions have the same fields (just different exception values and stacktrace). Could you help me with the query which will display results and extract all the exceptions without stacktrace ?
Hello, I have a data source with dynamic structure, position of comma separated field/value changes for some of the events. A few sample events and the extraction I used are giving below. My extrac... See more...
Hello, I have a data source with dynamic structure, position of comma separated field/value changes for some of the events. A few sample events and the extraction I used are giving below. My extraction is working for event one, but not working for other 2 events as field/values position changes there. Is there any way we can use one field extraction code to address this issue will be highly appreciated. Thank you so much. Timestamp:(?P<TIME_STAMP>.+), Type:(?P<TYPE>.+), EType:(?P<EType>.+), TCode:(?P <TCode>.+), EventId: (?P<EventId>.+), Id: (?P<Id>.+),  SAddress: (?P<SAddress>.+), System: (?P< System >.+), SId: (?P<SId>.+), eSignCode: (?P< eSignCode >.+), RCode: (?P< RCode >.+), Error: (?P< Error >.+) 2022-10-12 06:42:36.591 { INFO } [default task-79] - Timestamp: 2022-10-12T11:42:39.591Z, eSignCode: 3012, Type: REGT, EType: ESIGN, TCode: 23005, EventId: GET_SIGN, Id: 12045, SAddress: 35.168.40.67,  System: EIVES, SId: =/=S()A.b(X(-yJrV/+do)f(Q_)uca-/6+o_v.k|39OYc+Fh_=YOX-iDA++===,  RCode: 000, Error: nullm 2022-10-12 06:42:30.591 { INFO } [default task-79] - Timestamp: 2022-10-12T11:42:30.591Z, Type: REGT, TCode: 23305,  Id: 12045, SAddress: 35.168.40.67, System: EIVES, SId: =/=S()A.b(X(-yJrV/+do)f(Q_)uca-/6+o_v.k|39OYc+Fh_=YOX-iDA++===, eSignCode: 3012, EventId: GET_SIGN, Error: nullm 2022-10-14 06:42:26.591 { INFO } [default task-79] - Timestamp: 2022-10-12T11:42:26.591Z, Type: REGT, TCode: 23015, EventId: GET_SIGN, RCode: 010, Id: 12045, SAddress: 35.168.40.65, System: EIVES, SId: =/=S()A.b(X(-yJrV/98do)f(Q_)tca-/6+o_v.k|39OYc+Fh_=YOX-iDA++===, EventId: GET_SIGN,  Error: nullm  
Hi All, I'm trying to optimize the following search because it runs very slow.  Looking for some help w/it.  I've been exploring the multi-search command also, but cannot figure out how to get it w... See more...
Hi All, I'm trying to optimize the following search because it runs very slow.  Looking for some help w/it.  I've been exploring the multi-search command also, but cannot figure out how to get it working yet... | union [search index=xmo2-aws host=xmo2-prod* sourcetype=oss_app_log "Step completion_code set/reset" (flow_name=UcdeDeviceOnboarding AND step_name=ShowDeviceProgramOffer AND completion_code=0) | join type=inner session [search index=xmo2-aws host=xmo2-prod* sourcetype=oss_app_log "Step completion_code set/reset" (flow_name=UcdeDeviceOnboarding AND step_name=ShowBackupDeviceProgramOffer AND completed_from_ui=False AND completion_code=0)] | join type=inner session [search index=xmo2-aws host=xmo2-prod* sourcetype=oss_app_log "Step completion_code set/reset" (flow_name=UcdeDeviceOnboarding AND step_name=SetUserOnboardingComplete AND completion_code=0)] | timechart span=5m dc(session) as total1] [search index=xmo2-aws host=xmo2-prod* sourcetype=oss_app_log "Step completion_code set/reset" (flow_name=UcdeDeviceOnboarding AND step_name=ShowDeviceProgramOffer AND completion_code=0) | join type=inner session [search index=xmo2-aws host=xmo2-prod* sourcetype=oss_app_log "Step completion_code set/reset" (flow_name=UcdeDeviceOnboarding AND step_name=ShowBackupDeviceProgramOffer AND completed_from_ui=False AND completion_code=0)] | join type=inner session [search index=xmo2-aws host=xmo2-prod* sourcetype=oss_app_log "Step completion_code set/reset" (flow_name=UcdeDeviceOnboarding AND step_name=SetUserOnboardingComplete AND completion_code=0)] | join type=inner session [search index=xmo2-aws host=xmo2-prod* sourcetype=oss_app_log "Step completion_code set/reset" (flow_name=UcdeDeviceOnboarding AND step_name=ShowUcdeActivationStatus AND completion_code=0)] | timechart span=5m dc(session) as total2] | timechart span=5m sum(total1) as eval1, sum(total2) as eval2 | eval ActivationFailed=eval1-eval2 | timechart span=5m sum(eval2) as "Accepted & SignedIn", sum(ActivationFailed) as "Activation Failed" partial=f
I'm using RBA and am having issues with duplicate notables for the same thing. For example, I'll get a notable for both a host name and an IP or I'll get one or a userID and an email.  How does as... See more...
I'm using RBA and am having issues with duplicate notables for the same thing. For example, I'll get a notable for both a host name and an IP or I'll get one or a userID and an email.  How does assets and identities work with RBA and the Risk Index? 
Hello Splunkers, We have a requirement where we need to get the consolidated list of alerts in ITSI that  was generated and need to get status of alerts (closed or still active) When i run the belo... See more...
Hello Splunkers, We have a requirement where we need to get the consolidated list of alerts in ITSI that  was generated and need to get status of alerts (closed or still active) When i run the below query  index="itsi_grouped_alerts" source="XXXX" sourcetype = itsi_notable:group, i don't see any status of the alerts. Is there any way where we can have all the alerts from ITSI listed with status
Is there a recommended way to update Splunk apps in clustered environments? Based on some app instructions, the recommended approach is to copy over the app archive contents into /etc/shcluster/app... See more...
Is there a recommended way to update Splunk apps in clustered environments? Based on some app instructions, the recommended approach is to copy over the app archive contents into /etc/shcluster/apps/ (or /etc/manager-apps/ for CM). This overwrites existing contents and should preserve the local directory (unless the upgraded app has a local directory). Should I follow that for all apps? Same question for standalone servers: should I use the above approach or use the install CLI command?
Hello, I have a scenario that I need to confirm if it works with splunk. I have 2 environments Cluster1  Cluster2 I have the same application setup on both environments Appxyz N... See more...
Hello, I have a scenario that I need to confirm if it works with splunk. I have 2 environments Cluster1  Cluster2 I have the same application setup on both environments Appxyz Now I need to check that the versions of Appxyz on Cluster1 and Cluster2 are the same and I send a curl request to https://cluster.Appxyz and https://cluster2.Appxyz the request returns json values like name: thisname, clustername: thisclustername and version: v123 or V321. I need to extract only the version values from the json i.e v123 or v321 where Cluster.Appxyz.version => v123 and Cluster2.Appxyz.version=> v321 In this case: if Cluster1.Appxyz.version is != to Cluster2.Appxyz.version throw some alert stating "mismatched versions" if Cluster1.Appxyz.version is == to Cluster2.Appxyz.version Can this be achieved using splunk?   Thanks
The CIM documentation says that we should install CIM only on SH. But it contains an indexes.conf in default. Should we leave the indexes.conf in the SHC? in this case the index defined inside index... See more...
The CIM documentation says that we should install CIM only on SH. But it contains an indexes.conf in default. Should we leave the indexes.conf in the SHC? in this case the index defined inside indexes.conf wont be usable because is not defined in the indexer cluster. We dont know if it is correct to define the CIM indexes.conf in the SHC instead of the indexers. Anyone managed to install CIM in a clustered environment without issues?
Hi All, I have a dashboard with a dropdown of about 40 choices that come from a search query (not static). Each choice should "unhide" the respective panel on the dashboard.  I do not think I a... See more...
Hi All, I have a dashboard with a dropdown of about 40 choices that come from a search query (not static). Each choice should "unhide" the respective panel on the dashboard.  I do not think I am grasping the <done>, <change>, <finalized>, <condition match>, etc elements I need to figure this out.  I have created a dummy version of my actual dashboard below:       <form> <fieldset submitButton="true" autoRun="false"> <input type="dropdown" token="dashboard"> <label>Dashboard Selection</label> <fieldForLabel>Picker</fieldForLabel> <fieldForValue>Picker</fieldForValue> <search> <query>| makeresults | eval Picker = "Apple,Orange" | eval Picker = split(Picker,",") | stats count by Picker</query> </search> </input> </fieldset> <row> <panel> <html>DEBUG TOKENS : : : showapple - $showapple$ || dashboard - $dashboard$</html> </panel> </row> <row> <panel depends="$showapple$"> <title>Apple Dashboard</title> <table> <search> <query>| makeresults | eval Events = "10.10.10.10" | table Events</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> <row> <panel depends="$showorange$"> <title>Orange Dashboard</title> <table> <search> <query>| makeresults | eval Events = "192.168.1.1" | table Events</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> </row> </form>        You will notice I do not have any code to decipher when showapple or showorange is true.  I basically tried iterations of this code to make it work:       <done> <condition> <eval token="showapple">if($dashboard$="Apple","TRUE",null())</eval> <eval token="showorange">if($dashboard$="Orange","TRUE",null())</eval> </condition> </done>       I have tried using the above in different areas, and I always get null().  I also tried doing <change> instead of <done> so the dashboards would change depending on the dropdown value instantly, but I did not have success there either.
I am looking to create a splunk query but finding it complex to start with.   Use case: Index 1 has two logs like       Log 1: Received from client C for user Y and request id: X Log 2:... See more...
I am looking to create a splunk query but finding it complex to start with.   Use case: Index 1 has two logs like       Log 1: Received from client C for user Y and request id: X Log 2: request id:X completed       Index 2 looks like:       User Y has total sent items count : Z         I want output if all user items count  , from particular client say , D, for which request is completed. Basically, if from D client, there was a request and that request is completed, give me the  User and items count for that.
I have below JSON event where there are errors present in a field which is a list. I want to extract the values in the list and group them with another field which is part of an object of the same ev... See more...
I have below JSON event where there are errors present in a field which is a list. I want to extract the values in the list and group them with another field which is part of an object of the same event.  After grouping I want to count them like below output. I am using below query but not getting the expected output. Any help on this will be highly appreciated.  Sample JSON Event1   { "errorList": ["There is an ErrorA", "There is some other ErrorB", "Ohh another ErrorC"], "Details": { "type": "ABC" } }     Sample JSON Event2   { "errorList": ["There is some other ErrorB", "Ohh another ErrorC"], "Details": { "type": "XYZ" } }     Expected Output   Type Error Count ABC There is some other ErrorB 3 ABC There is an ErrorA 4 XYZ Ohh another ErrorC 2     Query I am trying      BASE_SEARCH | rex field=MESSAGE "(?<JSON>\{.*\})" | spath input=JSON | rename Details{}.type as "Type" | rename errorList{} as "Error" | stats count as Count by "Type" "Error" | table Type, Error , Count  
I have a search which triggers an alert if an event hasn't be received by 6.20 am. That alert works fine but it needs to send data into another system. That system needs a unique id within it's Key f... See more...
I have a search which triggers an alert if an event hasn't be received by 6.20 am. That alert works fine but it needs to send data into another system. That system needs a unique id within it's Key field. key=$result._time$ won't work as the event doesn't exist. Is there a way to add a unique value into that key field on an event that doesn't exist? The search is: sourcetype=Batch OR sourcetype=ManualBatch "Step 'CleanupOldRunlogs' finished with status SUCCESS"
Hello everyone, Have you ever wondered why microsoft does not documented Operation types with Unicode + meaning? You don´t need to anymore. I have made the needed research (anyone can do) and h... See more...
Hello everyone, Have you ever wondered why microsoft does not documented Operation types with Unicode + meaning? You don´t need to anymore. I have made the needed research (anyone can do) and here are the results: %%2458 = Read %%2459 = Write %%2457 = Delete      
Hi, We Designed a new custom model using tensorflow library to do the predictive analysis for our usecase.  We have installed DLTK with container based and DLTK environment setup is done. We are lo... See more...
Hi, We Designed a new custom model using tensorflow library to do the predictive analysis for our usecase.  We have installed DLTK with container based and DLTK environment setup is done. We are looking for the steps/video to upload our custom ML model which is trained outside of spluk environment. Is it possible to upload the custom ML model into Splunk ? if yes , How we can call the custom ML model based on the application logs ? Please help     
I have an alert with a "Send email" trigger action when the number of results is greater than zero. The aim is to send a table of results inline in the email. This isn't currently working - no emai... See more...
I have an alert with a "Send email" trigger action when the number of results is greater than zero. The aim is to send a table of results inline in the email. This isn't currently working - no email is being received when there are valid qualifying events in the search period (previous day). The alert was deployed using the SHC deployer, and is owned by "nobody". If I "Open in Search" I see results. If I clone the alert so a local version is run under my user context, I get the alert email sent.   Looking into _internal events, I can see that when the "nobody" search runs, no results are returned, and hence no email is sent - this isn't an issue with email configuration. Why does this search in this context give me no results?
  I am having correlation search running for every 5mins to get last 15mins data. The requirement is if the event comes at first time and created the episode but it should not create a incident at ... See more...
  I am having correlation search running for every 5mins to get last 15mins data. The requirement is if the event comes at first time and created the episode but it should not create a incident at the time. it should wait for 15mins and then if the issue is still there then create a incident. How we will know issue is still there, we are having auto-closure as well, for the same event if the auto-closure event comes correlate the event into the same episode and close the episode , this should happen if the auto-closure event come within 15mins. If auto-closure comes after 15mins then close the incident. Action for raising the incident will be based on status= ACTION and for auto-closure , the status is OK.   Now, to implement this we have created the action rules in NEAP policy,  1. to stop episode creating incident for 15mins -                  if the event in the episode is >=1 and status as active and if the episodes existed for 900sec--> SNOW configure 2. To close the episode  after receiving status as OK within 15mins                 if the event in the episode is >=2 and status in OK --> Close the episode 3. To close the episode after receiving status as OK after 15mins                  if the event in the episode is >=2 and status in OK and incident_status for that episode is not resolved or closed --> Close incident in SNOW But the tried use cases are not working, any one can help me with this how we can implement?
Can anyone assist with this, I see quiute a few people have successfully got the logs working following this work around --> https://support.umbrella.com/hc/en-us/articles/360001388406-Configuring-... See more...
Can anyone assist with this, I see quiute a few people have successfully got the logs working following this work around --> https://support.umbrella.com/hc/en-us/articles/360001388406-Configuring-Splunk-with-a-Cisco-managed-S3-Bucket However we get the following error when trying to run the shell script? fatal error: SSL validation failed for <link> EOF occurred in violation of protocol (_ssl.c:1129)
While pushing the application from deployment server to search head1 it gives me this error after entering the below command. ./splunk apply shcluster-bundle -target https://172.31.14.82:8089 Hel... See more...
While pushing the application from deployment server to search head1 it gives me this error after entering the below command. ./splunk apply shcluster-bundle -target https://172.31.14.82:8089 Help me to sort this issue   [root@ip-172-31-3-3 bin]# ./splunk apply shcluster-bundle -target https://172.31.14.82:8089 Warning: Depending on the configuration changes being pushed, this command might initiate a rolling restart of the cluster members. Please refer to the documentation for the details. Do you wish to continue? [y/n]: y WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Your session is invalid. Please login. Splunk username: admin Password: \Error in parsing pass4SymmKey under shclustering stanza.
Hi all, I have a correlation search that passes alerts from another system into ES and I need to prevent the urgency of the alert from being changed by ES. Essentially I (think I) need ES to igno... See more...
Hi all, I have a correlation search that passes alerts from another system into ES and I need to prevent the urgency of the alert from being changed by ES. Essentially I (think I) need ES to ignore the priority of any asset or identity associated with the incident so that the urgency doesn't change. Cany anyone offer any advice on how to do this? Thanks very much  Edit: I should add, I didn't create the original correlation search and I don't have much experience in this area, hence the question. Thanks again!