All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I use Splunk to monitor a basic text file on multiple Windows Servers with the following stanza in inputs.conf: [monitor://C:\Windows\System32\logfiles\Ansible.log] disabled = 0 sourcetype = Ansib... See more...
I use Splunk to monitor a basic text file on multiple Windows Servers with the following stanza in inputs.conf: [monitor://C:\Windows\System32\logfiles\Ansible.log] disabled = 0 sourcetype = Ansible index = sw interval = 10 This always works at first and I can find all the events inside Splunk. But that Ansible.log file is regularly updated by Powershell or ScheduledTask or something similar and over time several servers will have 0 events for that Ansible.log file. In the file system, the file has been updated recently, but the Splunk Universal Forwarder just doesn't sent the updates but those servers have events from other SourceTypes. Restarting the SplunkForwarder service, the server, upgrading the Splunk Universal Forwarder does not fix the issue. The file is a simple raw text file in (typically UTF8 but I've tried multiple formats). I've make sure permissions are correct and the service which runs the SplunkForwarder has read rights. What else can I do to have the SplunkForwarder send updates to that file?
Hi, am looking for Ansible playbooks to deploy Splunk Master, indexer, header and forwarder can any one provide insights
In my dashboard, when one of the dropdowns are changed I need to reset the value in the other dropdowns to the default value (*); this can easily be done using the <change> function so no issues ther... See more...
In my dashboard, when one of the dropdowns are changed I need to reset the value in the other dropdowns to the default value (*); this can easily be done using the <change> function so no issues there. The problem arises when the user clicks a link to the dashboard with pre-populated parameters for the dropdowns (user is taken to a specific state of the dropdowns). The loading of the dashboard with the incoming HTTP parameters for the dropdowns also trigger the <change> to happen and thus resetting all of the selected dropdowns. My questions is, how can I prevent the <change> to trigger on the Initial Load of the Dashboard? Once the Dashboard has been loaded I want the <change> to trigger when the user changes certain dropdowns. I tried the following approach. In the dropdown for which I want to prevent the <change> to trigger a condition was added to check that the Token $FirstLoad$ is set to "Done". <change> <condition match="tostring($FirstLoad$) == &quot;Done&quot;"> <set token="form.PipelineName">*</set> <set token="form.LabelName">*</set> </condition> In the heaviest Search I set a Token when completed (Done): <done> <set token="FirstLoad">Done</set> </done>   The thinking for the above was that since on Initial Load the $FirstLoad$ Token will not initially be set which should prevent the <change> to trigger, but as soon as the $FirstLoad$ Token is updated to "Done", the <change> is triggered. Very frustrating. Anyways, maybe I am missing something simple? Any ideas are appreciated.
Looking at Splunk base, and there are quite a lot of Proofpoint apps/TAs, which one should I install in order to connect to the Proofpoint endpoint and receive the data? 
I am troubleshooting an API failure for a Splunk SOAR app. I found that the response code and details of the API are written to the system via save_progress method under BaseConnector class. But I ca... See more...
I am troubleshooting an API failure for a Splunk SOAR app. I found that the response code and details of the API are written to the system via save_progress method under BaseConnector class. But I can't find those logs in the actiond log file. Could you guide me if those were somewhere else so that I can find tham?
On a new install of Splunk Enterprise 9.4.0 on the intended Deployment Server Settings ==> Forwarding Management We get the following: Forwarder Management unavailable There is an error in your s... See more...
On a new install of Splunk Enterprise 9.4.0 on the intended Deployment Server Settings ==> Forwarding Management We get the following: Forwarder Management unavailable There is an error in your serverclass.conf which is preventing deployment server from initializing. Please see your serverclass.conf.spe file for more information.   This is the first time that I've seen this in the years that I've been Splunking and the only serverclass.conf file is from the installation in $SPLUNK_HOME/etc/system/default. What am I missing? Help, please
Hi all  Trying to work on something which currently shows a bunch of IP hits and counts against it, the current output is the last 2 hours Query: index=source sourcetype="source"  | stats count... See more...
Hi all  Trying to work on something which currently shows a bunch of IP hits and counts against it, the current output is the last 2 hours Query: index=source sourcetype="source"  | stats count values(Hostname) by SourceIP | sort by -count | rename "count" to "Total count", "values(Hostname)" to "Hosts" Output: IP                                              Count 100.100.100.100               5 I want to add a new column called "Last30days" that looks at the IP address found in column 1 and a count search for the last 30 days, so like above but another column for the last 30days, final output below. IP                                              Count                 Last30days 100.100.100.100               1                          10 tried various variaitions but can't get it to work
Hi everyone. I need to modify this bar chart  In order to hide the overlay lay and display the overlay values. Also need to remove "Total" value from the legend. This is my CSS configurati... See more...
Hi everyone. I need to modify this bar chart  In order to hide the overlay lay and display the overlay values. Also need to remove "Total" value from the legend. This is my CSS configurations that doesn't works: <row> <panel depends="$css$"> <title>CSS</title> <html> <style/> <!-- hide numbers on the chart --> #hide_number_distribution .highcharts-data-label text tspan { visibility:hidden; } <!-- show numbers for "Total" --> #hide_number_distribution .highcharts-series-0 .highcharts-data-label text tspan { visibility:visible !important; } <!-- hide line for "Total" --> #hide_number_distribution .highcharts-series-0.highcharts-line-series path { visibility:hidden !important; } <!-- hide "Total" from the legend --> #hide_number_distribution .highcharts-legend-item .highcharts-line-series .highcharts-color-undefined .highcharts-series-0 { visibility:hidden !important; } </style> </html> </panel> </row> The id "hide_number_distribution" is on the panel (not on the chart) and the dataLabels option for the chart is: <option name="charting.chart.showDataLabels">none</option> Can anyone help me to understand why this not works and fix it? Thanks in advance  
I see multiple versions of the inputs.conf Visio stencil however I'm looking for props.conf and transforms.conf ones. Anybody knows anything?
Hi, I wanted to check that how can I get total data transfer from on-prem heavy forwarders and intermediate forwarders to cloud indexer cluster? is there a search which can look into splunkd.log or ... See more...
Hi, I wanted to check that how can I get total data transfer from on-prem heavy forwarders and intermediate forwarders to cloud indexer cluster? is there a search which can look into splunkd.log or metrics.log from heavy forwarder for data transferred for 24 hours...
Hi Splunkers,  does anyone know if I there are datasets free to download? More precisely, I would need some network traffic dataset including good and bad domains for some Splunk Machine Learning t... See more...
Hi Splunkers,  does anyone know if I there are datasets free to download? More precisely, I would need some network traffic dataset including good and bad domains for some Splunk Machine Learning testing. I would appreciate every idea you have. Thanks in advance! BR
I've had a working Splunk instance for a month, but post patch it refuses to start the webUI. Where I would either start splunk (no issues) but the UI won't work. I've tried: Checking web.conf Ch... See more...
I've had a working Splunk instance for a month, but post patch it refuses to start the webUI. Where I would either start splunk (no issues) but the UI won't work. I've tried: Checking web.conf Checking ports Checking firewall-cmd Checking permissions. When restarting webserver via ./splunk restart splunkweb the splunkd.log shows it restarting then instantly stopping the module - what could be doing that?
Hello all, I am wondering if anyone has run into an issue where they receive a "500 error" on some large reports (small reports work fine)? The only feedback I got from the cSAM admin was to add a t... See more...
Hello all, I am wondering if anyone has run into an issue where they receive a "500 error" on some large reports (small reports work fine)? The only feedback I got from the cSAM admin was to add a time out value in Microsoft PowerQuery, doesn't quite seem to relate to CURL though.     personal_access_token = "MyRealToken", request_timeout_in_minutes = 10, // Specify your timeout value here data = Table.FromRecords( Json.Document( Web.Contents( csam_api_endpoint_url, [ Headers = [ #"Authorization"="Bearer " & personal_access_token, #"Content-Type" = "application/json" ], Timeout = #duration(0, 0, request_timeout_in_minutes, 0) ] ) ) ) in data  
Hello, I need some help for a query. I have to do this :  At the moment I haven't managed to get exactly what I've asked for, I can't place the dates on the last few days in the column, I've tr... See more...
Hello, I need some help for a query. I have to do this :  At the moment I haven't managed to get exactly what I've asked for, I can't place the dates on the last few days in the column, I've tried several things but to no avail.   All I've managed to do is this: index=aws_app_corp-it_datastage | spath input=_raw | eval Country=INVOCATIONID | eval StartTime=strptime(RUNSTARTTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q") | eval EndTime=strptime(RUNENDTIMESTAMP, "%Y-%m-%d %H:%M:%S.%Q") | eval Duration=round(abs(EndTime - StartTime)/60, 2) | eval Status = case( RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWW", "Completed with Warnings", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FOK", "Successful Launch", RUNMAJORSTATUS="FIN" AND RUNMINORSTATUS="FWF", "Failure", RUNMAJORSTATUS="STA" AND RUNMINORSTATUS="RUN", "In Progress", 1=1, "Unknown" ) | eval StartTimeFormatted=strftime(StartTime, "%H:%M") | eval EndTimeFormatted=strftime(EndTime, "%H:%M") | eval StartTimeDisplay=if(isnotnull(StartTimeFormatted), "Start time: ".StartTimeFormatted, "Start time: N/A") | eval EndTimeDisplay=if(isnotnull(EndTimeFormatted), "End time: ".EndTimeFormatted, "End time: N/A") | table JOBNAME PROJECTNAME Country _time StartTimeDisplay EndTimeDisplay Status | rename JOBNAME as Job, PROJECTNAME as App | sort -_time |search Country="*" App="*" Status="*"  
The InfoSec App InfoSec App for Splunk | Splunkbase has not been updated in quite some time.  I am getting email from the  The Upgrade Readiness App detected 2 apps with deprecated jQuery on the h... See more...
The InfoSec App InfoSec App for Splunk | Splunkbase has not been updated in quite some time.  I am getting email from the  The Upgrade Readiness App detected 2 apps with deprecated jQuery on the https://xxx.splunkcloud.com:443 instance. InfoSec_App_for_Splunk The Upgrade Readiness App detects apps with outdated Python or jQuery to help Splunk admins and app developers prepare for new releases of Splunk in which lower versions of Python and jQuery are removed. For more details about your outdated apps, see the Upgrade Readiness App on your Splunk instance listed above.   Are we expecting to see an update?
Hey, i have a problem with event breaking. My app outputs logs that starts with date and time in the format 15/05/2024 16:35:45 Some events have an object in them and can be accross multiple lines. ... See more...
Hey, i have a problem with event breaking. My app outputs logs that starts with date and time in the format 15/05/2024 16:35:45 Some events have an object in them and can be accross multiple lines. But every event starts with date and time. For some reason splunk sometimes combine two events. And sometimes cut off an event who has an object in it. I tried multiple configs in the props.conf such as LINE_BREAKER , SHOULD_LINEMERGE, and more. Im new to splunk and i would be grateful if u can help me
Hi everyone! Is there a way to troubleshoot and fix this issue? We have other instances, and they work fine. Internet 24.7 Mbps download, 65.2 Mbps upload, so it's ok. ssh and ping to the host works ... See more...
Hi everyone! Is there a way to troubleshoot and fix this issue? We have other instances, and they work fine. Internet 24.7 Mbps download, 65.2 Mbps upload, so it's ok. ssh and ping to the host works fine, only the web page does not work for me. Colleagues do not have this problem. http://ip:8080/en-US/account/login?return_to=%2Fen-US%2F   This page isn’t working <ip> didn’t send any data. ERR_EMPTY_RESPONSE    
1. This is $SPLUNK_HOME/etc/system/local/inputs.conf of my Indexer. [splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = /opt/splunk/etc/auth/mycerts/myCombinedServerCertificate.pem sslPassword... See more...
1. This is $SPLUNK_HOME/etc/system/local/inputs.conf of my Indexer. [splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = /opt/splunk/etc/auth/mycerts/myCombinedServerCertificate.pem sslPassword = $7$2sKE3fmGeaZOyBdYg6AfpoU1Gv7kXP3pEihEQoWlSKFeItPCn0lNyb0=  (myServerPrivateKeyPassword) requireClientCert = false   2. This is $SPLUNK_HOME/etc/system/local/server.conf of my Indexer. [general] serverName = 4b2c00e08e88 pass4SymmKey = $7$kbQmQuYtD+ees5uv8q+WaE36j8Sk07HcWoVgOMmP8Bb69nbwERriow== [sslConfig] sslPassword = $7$9eO6Wt/mPl2QIOEu/+xh44foXzSDvMRs/0LyNn/EuZ+ab/Q93LB8bg==(Default. I did not modify) sslRootCAPath = /opt/splunk/etc/auth/mycerts/myCertAuthCertificate.pem [lmpool:auto_generated_pool_download-trial] description = auto_generated_pool_download-trial peers = * quota = MAX stack_id = download-trial [lmpool:auto_generated_pool_forwarder] description = auto_generated_pool_forwarder peers = * quota = MAX stack_id = forwarder [lmpool:auto_generated_pool_free] description = auto_generated_pool_free peers = * quota = MAX stack_id = free   3. This is /opt/splunkforwarder/etc/system/local/outputs.conf of my UF. [tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = 176.32.83.56:9997 disabled = 0 sslPassword = $7$M4MRBHX8rh11KC509o7cRe/QOxo3EZBA5pXjGn5cZuHtb0FO3dFj5ks=(myServerPrivateKeyPassword) sslVerifyServerCert = false   4. This is /opt/splunkforwarder/etc/system/local/server.conf of my UF. [general] serverName = suf pass4SymmKey = $7$hE1rQcMJG9ZPB0DvxG+KMGbMmNly4JylVUhFC59Nz+LBa+o1ahblmg== [sslConfig] sslPassword = $7$30hXe/EpmNqvXRzVPC0KF+1YNptHuhrxEnChvX5Se8ySRni+uAQFHWk=(Default. I did not modify) sslRootCAPath = /opt/splunkforwarder/etc/auth/mycerts/myCertAuthCertificate.pem [lmpool:auto_generated_pool_forwarder] description = auto_generated_pool_forwarder peers = * quota = MAX stack_id = forwarder [lmpool:auto_generated_pool_free] description = auto_generated_pool_free peers = * quota = MAX stack_id = free     The above configurations did not succeed. When I executed the following command: /opt/splunkforwarder/bin/splunk list forward-server   I got the following result. Active forwards: None Configured but inactive forwards: 176.32.83.56:9997  
Jenkins health dashboard is using index="jenkins_statistics  in base search instead of macro `jenkins_index` unlike previous version. Because of this change, the dashboard is now showing up any data ... See more...
Jenkins health dashboard is using index="jenkins_statistics  in base search instead of macro `jenkins_index` unlike previous version. Because of this change, the dashboard is now showing up any data in Splunk cloud.
Hi Splunkers, I have a very simple question. When I configure a Splunk indexes.conf, I know that one parameter I can configure is repFactor. In a scenario where SmartStore is used, we know that rep... See more...
Hi Splunkers, I have a very simple question. When I configure a Splunk indexes.conf, I know that one parameter I can configure is repFactor. In a scenario where SmartStore is used, we know that repFactor must be set equals to "auto", for each configured index. Here the question is this: following Splunk official documentation, repFactor is put under "Per index Options". Does it means that I cannot put it under [default] stanza? Because if, for SmartStore requirements, I need to configure it equals to auto for EVERY index, it could be fast and smart put it as a global setting. Luca