All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I'm reading the official Documentation ( https://docs.splunk.com/Documentation/Splunk/8.2.0/Installation/HowtoupgradeSplunk ), which warn not to update Splunk from 7.0.x to 8.2.6 directly, 7.... See more...
I'm reading the official Documentation ( https://docs.splunk.com/Documentation/Splunk/8.2.0/Installation/HowtoupgradeSplunk ), which warn not to update Splunk from 7.0.x to 8.2.6 directly, 7.0.x 8.0.x or 8.1.x 8.2.x Documentation suggests to make a middle update to 8.0.x/8.1.x, and then 8.2.x. Why? Is it so unsafe to make 7.0.x to 8.2.x? Asking since i'll soon need to replace my very old 7.0.x with 8.2.x. Thanks
I have json events/messages in my search result. There is a field or property called "stack_trace" in the json like below. I want to group the events and count them as shown below based on the Except... See more...
I have json events/messages in my search result. There is a field or property called "stack_trace" in the json like below. I want to group the events and count them as shown below based on the Exception Reason or message. The problem is traces are multi lined and hence below query that I am using is, it seems not able to extract the exact exception message. Is there a way to achieve the expected output?  Event       { MESSAGE : Failed to send stack_trace : com.abc.xyz.package.ExceptionName: Missing A. at random.package.w(DummyFile1:45) at random.package.x(DummyFile2:64) at random.package.y(DummyFile3:79) }         Query I am using       MY_SEARCH | rex field=stack_trace "(?<exceptionclass>\w+): (?<exceptiontext>\w+)." | stats count as Count by "exceptiontext"         Expected Output       Exception Count Missing A 3 Missing B 4 Missing C 1        
Friends, tell me how to be in the next task. I have an alert time every two minutes. I need to use this time, apparently something like this: now(); Next, I need to get the difference between the ... See more...
Friends, tell me how to be in the next task. I have an alert time every two minutes. I need to use this time, apparently something like this: now(); Next, I need to get the difference between the now() time and the time the last message (t). Let's call the difference between now() and t (t-now); Enter the variable "interval" (inter), the value of which is 30 seconds; Then, compare t-now and inter.
I am trying to make certain texts as bold in Splunk email alerts and choosing the HTML/Plain Text option, but the HTML tags appear as it is in the emails which get generated Thanks in advance Manoj
Within splunk add on for AWS - CloudWatch input type has a option to specify assume role (for multi aws account setup). However for the CloudWatch logs input type there is no assume role option. So e... See more...
Within splunk add on for AWS - CloudWatch input type has a option to specify assume role (for multi aws account setup). However for the CloudWatch logs input type there is no assume role option. So each account should have a programmatic access user if we have to cloudwatch logs input? 
Hi peeps, I want to join below information result in one table: 1st query index=sslvpn | iplocation src_ip | search Country != Malaysia | eval Country = if(isnull(Country),"unknown",Country)... See more...
Hi peeps, I want to join below information result in one table: 1st query index=sslvpn | iplocation src_ip | search Country != Malaysia | eval Country = if(isnull(Country),"unknown",Country) | table _time, user,src_ip,Country,action | rename user as "User ID", src_ip as "Source IP", action as "Status" 2nd query index=sslvpn group_path="ADL" | iplocation accessIP | where Country !="Malaysia" | table _time, user,accessIP,Country,action i try to join this table as below query: index=sslvpn | iplocation src_ip | search Country != Malaysia | eval Country = if(isnull(Country),"unknown",Country) | table _time, user,src_ip,Country,action | append      [search index=sslvpn group_path="ADL"      | iplocation accessIP      | where Country !="Malaysia"      | rename accessIP as src_ip] | rename user as "User ID", src_ip as "Source IP" action as "Status" but the result is not consist of 2nd query information. please help. thankyou.
We recently upgraded our KVstore Storage Engine to WiredTiger, after previously using MMAPv1. When I run: splunk show kvstore-status It says: storageEngine: wiredTiger Yet we keep getting th... See more...
We recently upgraded our KVstore Storage Engine to WiredTiger, after previously using MMAPv1. When I run: splunk show kvstore-status It says: storageEngine: wiredTiger Yet we keep getting the "Storage engine migration recommended" alert. Did any one else run into this? Does anyone know why? And if there is a way to disable it?
Am I able to set up a Splunk instance that would allow users outside of my network to enter my Splunk instance in a VM environment? Can anyone link me to documentation that will help.   Preferably ... See more...
Am I able to set up a Splunk instance that would allow users outside of my network to enter my Splunk instance in a VM environment? Can anyone link me to documentation that will help.   Preferably something  that can be connected via URL like this  https://splunk.samsclass.info  (Username: Student1 Password: Student1) Just something in a safe environment that a few people can play around in.  Does Splunk itself allow this ability?
Hello Splunkers!! As per the below results. I want to send individual report to each manager on their email id. Likewise I have more than 50+ managers And i have to send individual reports on their ... See more...
Hello Splunkers!! As per the below results. I want to send individual report to each manager on their email id. Likewise I have more than 50+ managers And i have to send individual reports on their individual email id. Please guide me how can I achieve this. Manager pass fail email abc 80 20 abc@gmail.com xyz 70 30 xyz@gmail.com nbq 60 40 nbq@gmail.com
Hello, we are ingesting data on multiple indexes for different departments. we want to create an alert when any index is not receiving logs from host should send and email to specific department ma... See more...
Hello, we are ingesting data on multiple indexes for different departments. we want to create an alert when any index is not receiving logs from host should send and email to specific department mail address.  we created a lookup .csv file and mention indexname and email address. below is the query which i am trying to execute but no results.   | tstats latest(_time) as latest where index=* earliest=-6h by host | eval recent = if(latest > relative_time(now(),"-45m"),1,0), realLatest = strftime(latest,"%c") | where recent=0 | outputlookup weblogs-index.csv | stats values(useremail) AS emailToHeader | mvexpand emailToHeader | map search="index | inputlookup weblogs-index.csv | where useremail=\"$emailToHeader$\" | fields - useremail | sendemail sendresults=true inline=true server=\"Your.Value.Here\" from=\"Your.Value.Here\" to=\"$emailToHeader$\" subject=\"Your Subject here: \$name\$\" message=\"This report alert was generated by \$app\$ Splunk with this search string: \$search\$\"" | appendpipe [|inputlookup weblogs-index.csv]
Hi    I have a lookup which looks like this no  name     student     rollno 1      john           yes           12 2       George     no             2345 3      jin                yes    ... See more...
Hi    I have a lookup which looks like this no  name     student     rollno 1      john           yes           12 2       George     no             2345 3      jin                yes          111   How can i iterate through this lookup by the 'no' field and display each entry as a result . I only need one result at a time so when i first run the search the result should be no  name     student     rollno 1      john           yes           12   When i run the same search after a minute the result should be   no  name     student     rollno 2       George     no             2345     Please help
I have 3 Search Heads and 3 Indexers with Replication Factor =1 and Search Factor=1. My requirement is to increase this to RF=3 and SF=2 Each indexer has around 800GB of data. Now if I increase the... See more...
I have 3 Search Heads and 3 Indexers with Replication Factor =1 and Search Factor=1. My requirement is to increase this to RF=3 and SF=2 Each indexer has around 800GB of data. Now if I increase the replication factor to 3 does it mean each indexer will end up with around 2.4TB of data post data rebalancing. And what would be the approximate data size in each indexer if RF is set to 2.
Hi,  I need help to extract some field from below logs format. (Im so bad at this). Oct 11 16:06:24 123.12.123.12 SVPN-USR[29489]: {"id":"6767676767","msgid":"6767676767","userInfo":{"userName":"... See more...
Hi,  I need help to extract some field from below logs format. (Im so bad at this). Oct 11 16:06:24 123.12.123.12 SVPN-USR[29489]: {"id":"6767676767","msgid":"6767676767","userInfo":{"userName":"wani","groupId":1519,"groupPath":"/Group ADL/SSAeF","authMethods":""},"clientInfo":{"ip":"123.12.123.12","vip":"123.12.123.12","osType":"WINDOWS","macAddr":"","deviceID":""},"msg":"[accessIP: 123.12.123.129 virtualIP: 123.12.123.12] User wani for session XXXXXXXXXXXX visit ip source ->ip 123.12.123.12 port 10123!","timeStamp":1665475584,"time":"2022-10-11 16:06:24","type":"userlog","logSubType":"access_resource","rcip":"123.12.123.12","actionResult":"success"}   Oct 11 16:06:24 123.12.123.12 SVPN-USR[29489]: {"id":"6767676767","msgid":"6767676767","userInfo":{"userName":"wani","groupId":1477,"groupPath":"/Group ADL/SSADS","authMethods":""},"clientInfo":{"ip":"123.12.123.12","vip":"123.12.123.12","osType":"WINDOWS","macAddr":"","deviceID":""},"msg":"[accessIP: 123.12.123.12 virtualIP: 123.12.123.12] User wani for session XXXXXXXXXXXX visit ip source ->ip 123.12.123.12 port 443!","timeStamp":1665475584,"time":"2022-10-11 16:06:24","type":"userlog","logSubType":"access_resource","rcip":"123.12.123.12","actionResult":"success"}   I want to extract the action result value, for example: action_result = success   Please help!
Hello Splunkers, Is it possible to limit the searchable indexes within a custom app ? For instance, if I create a new app called "myapp" and inside the Search tab of this app, I want to only be... See more...
Hello Splunkers, Is it possible to limit the searchable indexes within a custom app ? For instance, if I create a new app called "myapp" and inside the Search tab of this app, I want to only be able to retrieve results coming from one of my X indexes. Is that possible ? Regards, GaetanVP
Hello, I have some websites I monitor. I want to receive an alert when a website is not available more than 15 minutes. Can you help me create a query for that?
Hi @gcusello  I am using HTML & Plain Text option in email alerts and am trying to make certain texts bold and adding hyperlinks etc. It is not taking the tags, but displays the tags as it when i c... See more...
Hi @gcusello  I am using HTML & Plain Text option in email alerts and am trying to make certain texts bold and adding hyperlinks etc. It is not taking the tags, but displays the tags as it when i check the mails received. How     
동일한 데이터를 로컬 및 원격 검색(연합 검색)을 통해 검색 속도와 비교합니다. 그러나 자동 조회를 사용하는 검색의 경우 검색 속도가 100배 이상 다릅니다. 원격 검색이 훨씬 빠릅니다.(로컬 검색은 10분, 원격 검색은 30초) 왜 이런 속도 차이가 나는지 궁금합니다. 예시) 색인=방화벽 작업=허용 * ACTION은 자동 조회 설정... See more...
동일한 데이터를 로컬 및 원격 검색(연합 검색)을 통해 검색 속도와 비교합니다. 그러나 자동 조회를 사용하는 검색의 경우 검색 속도가 100배 이상 다릅니다. 원격 검색이 훨씬 빠릅니다.(로컬 검색은 10분, 원격 검색은 30초) 왜 이런 속도 차이가 나는지 궁금합니다. 예시) 색인=방화벽 작업=허용 * ACTION은 자동 조회 설정입니다.
Using version 2.1 of the infoblox TA, it is not extracting all the fields correctly. The named_message field seems to have the text 'view 2:' in it, which for the dns_response extraction will extract... See more...
Using version 2.1 of the infoblox TA, it is not extracting all the fields correctly. The named_message field seems to have the text 'view 2:' in it, which for the dns_response extraction will extract this to the dns_view field. However, it only does this for the single extraction, but there are a number of other extractions that do not have this dns_view field and therefore none of the extractions work. In particular, the reply_code never gets set, so this results in all reply_codes in the Network Resolution datamodel ending up as 'unknown'. Has anyone seen this behaviour before and know what the solution might be?  
Hi All, I'm getting the below   splunk add oneshot ./kaseya.txt -index main -sourcetype asset‌ ‌kaseya-edge:agent ERROR: certificate validation: self signed certificate in certificate chain Co... See more...
Hi All, I'm getting the below   splunk add oneshot ./kaseya.txt -index main -sourcetype asset‌ ‌kaseya-edge:agent ERROR: certificate validation: self signed certificate in certificate chain Couldn't complete HTTP request: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed   Since I'm working on my development laptop, I don't care if this is signed or not.  What I need is a way of stopping the error. TIA, Joe
Hello all, I have configured services in ITSI that have KPIs based on KPI Base Searches, and for some reason users with the itoa_user role cannot view the content of the Service Analyzer.  The struc... See more...
Hello all, I have configured services in ITSI that have KPIs based on KPI Base Searches, and for some reason users with the itoa_user role cannot view the content of the Service Analyzer.  The structure shows up in the tree view, but the nodes are all greyed out.   The tile view displays "No results found". The itoa_analyst role has no issues, and if I make itoa_user inherit power then the content loads, but that's not an acceptable workaround.  I also tried to add the differences in capabilities that itoa_user has with power and itoa_analyst roles, but that didn't work either. When I run the KPI Base Search in a normal search window with itoa_user role then it still doesn't run.  With itoa_analyst it does.  The KPI Base Search calls an accelerated data model and I am working in a distributed and clustered (only idx layer) environment. All objects are shared with Global team. I have no idea what is restricting the itoa_user role. Could anybody help? Thanks! Andrew