All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Team, We have recently migrated our Splunk Apps from old server to new CDP server.  AND Old server is going to decommission very soon. Our Splunk NFR License is deployed in old server. So: 1. C... See more...
Team, We have recently migrated our Splunk Apps from old server to new CDP server.  AND Old server is going to decommission very soon. Our Splunk NFR License is deployed in old server. So: 1. Can I use same Splunk NFR license key in new server? 2. If not, what are the possible solution to use the same License in new CDP environment  Can you please suggest and guide. Thanks Dinesh
What is the time interval for predictive health score calculation cycle? Is it possible to set the predictive health score calculation cycle to 1-minute intervals?
Hi There,   Is it possible to forward logs from azure private cloud to splunk cloud using "Microsoft cloud services add-on"   Thanks in advance
Hi I tried following steps from below github to get Kubernetes metrics https://github.com/signalfx/splunk-otel-collector-chart   Here is the code I used and I am getting logs in main index k8... See more...
Hi I tried following steps from below github to get Kubernetes metrics https://github.com/signalfx/splunk-otel-collector-chart   Here is the code I used and I am getting logs in main index k8main , but no data in metrics index k8metrics. helm install my-splunk-otel-collector --set="splunkPlatform.endpoint=XXXXX, splunkPlatform.token=YYYYY, splunkPlatform.index=k8main, splunkPlatform.metricsEnabled=true, splunkPlatform.metricsIndex=k8metrics, splunkPlatform.insecureSkipVerify=true, clusterName=splunk-cluster" splunk-otel-collector-chart/splunk-otel-collector   Here is the error i am getting error exporterhelper/queued_retry.go:395 Exporting failed. The error is not retryable. Dropping data. {"kind": "exporter", "data_type": "metrics", "name": "splunk_hec/platform_metrics", "error": "Permanent error: \"HTTP/1.1 400 Bad Request\\r\\nContent-Length: 60\\r\\nConnection: Keep-Alive\\r\\nContent-Type: application/json; charset=UTF-8\\r\\nDate: Fri, 30 Sep 2022 14:44:09 GMT\\r\\nServer: Splunkd\\r\\nVary: Authorization\\r\\nX-Content-Type-Options: nosniff\\r\\nX-Frame-Options: SAMEORIGIN\\r\\n\\r\\n{\\\"text\\\":\\\"Incorrect index\\\",\\\"code\\\":7,\\\"invalid-event-number\\\":1}\"", "dropped_items": 27} Can someone please advice on how to get metrics in the above scenario. Thank You.
I appear to be getting no data from the distinct windows performance app v1.2.0 running on Splunk 9. I have attached a screenshot of the app in question.  
Hello, I would like to extract the 10 milliseconds in the below snippet of text as a separate value in a field. Is there anyway to do this? Thank you!! 2022-10-02T12:56:40.073Z [BillingExecu... See more...
Hello, I would like to extract the 10 milliseconds in the below snippet of text as a separate value in a field. Is there anyway to do this? Thank you!! 2022-10-02T12:56:40.073Z [BillingExecutors-4] INFO com...els.kafka.ElsKafkaReceiver - Message processing time at event aggregator in milli seconds 10 2022-10-02T12:56:40.073Z [BillingExecutors-4] INFO com...els.kafka.ElsKafkaReceiver - Message processing time at event aggregator in milli seconds 10
So today i installed the forwarder on a DC that is hosted on a VM but i cant seem to get any logs from this machine  i've already enabled Splunk to listen on  9997  for receiving  I'm also using the ... See more...
So today i installed the forwarder on a DC that is hosted on a VM but i cant seem to get any logs from this machine  i've already enabled Splunk to listen on  9997  for receiving  I'm also using the Splunk for windows addon and enabled all the logs from the config file (after copying it to the local directory) and the Splunk instance is hosted on the host machine and I've already setup the networking between the host and the VM i basically followed this  Guide   but i still can't get to forward the events , am i missing any steps here? , i also confirmed that the indexer was set correctly from the outputs file i was able to input data from the local host without an issue before if that helps
Hi guys, I am quite new to the Splunk world, pls forgive me for asking a very basic question.   So I have a table as following: job_id     total_passed        total_failed      total_not_run ... See more...
Hi guys, I am quite new to the Splunk world, pls forgive me for asking a very basic question.   So I have a table as following: job_id     total_passed        total_failed      total_not_run 9                14                            20                         6 10              25                            31                        9 and so on. I want to create a pie chart for different job_ids (lets say 9), with total_passed, total_failed, total_not_run values (14, 20, 6) and total_passed, total_failed, total_not_run as the headers of the chart in Splunk dashboard. how to do it? any help will be deeply appreciated.  
Hi Team, I have below queries in my dashboard Panel1: index="abc" sourcetype="abc" $reg$ |lookup local=t Org_Alias.csv OrgFolderName OUTPUT OrgName| search OrgName=$OrgName$ | rename OrgName as... See more...
Hi Team, I have below queries in my dashboard Panel1: index="abc" sourcetype="abc" $reg$ |lookup local=t Org_Alias.csv OrgFolderName OUTPUT OrgName| search OrgName=$OrgName$ | rename OrgName as "Salesforce Org Name" | chart latest(NumberOfActiveUsersNotLoggedInForMoreThan15Days) as "# Active Users NOT logged in > 15 days" latest(NumberOfActiveUsersNotLoggedInForMoreThan30Days) as "# Active Users NOT logged in > 30 days" latest(NumberOfActiveUsersNotLoggedInForMoreThan60Days) as "# Active Users NOT logged in > 60 days" latest(NumberOfActiveUsersNotLoggedInForMoreThan90Days) as "# Active Users NOT logged in > 90 days" by "Salesforce Org Name"   Panel2: index="abc" sourcetype="abc" $reg$ |lookup local=t Org_Alias.csv OrgFolderName OUTPUT OrgName| search OrgName=$OrgName$ | chart latest(NumberOfActiveUsers) as "Number Of ActiveUsers" latest(SalesforceOrgId) as "Salesforce Org Id" latest(NumberOfActiveUsersNotLoggedInForMoreThan15Days) as "Number Of ActiveUsers Not Logged In For MoreThan 15Days" latest(NumberOfActiveUsersNotLoggedInForMoreThan30Days) as "Number Of ActiveUsers Not Logged In For MoreThan 30Days" latest(NumberOfActiveUsersNotLoggedInForMoreThan60Days) as "Number Of ActiveUsers Not Logged In For MoreThan 60Days" latest(NumberOfActiveUsersNotLoggedInForMoreThan90Days) as "Number Of ActiveUsers Not Logged In For MoreThan 90Days" by OrgName panel3: index="abc" sourcetype="abc" InactiveForMoreThan90Days !="No" $reg$ $type$ |lookup local=t Org_Alias.csv OrgFolderName OUTPUT OrgName| search OrgName=$OrgName$ | dedup _raw |stats count(InactiveForMoreThan90Days) as "Total Inactive Users" by OrgName panel4 index="abc" sourcetype="abc" InactiveForMoreThan90Days !="No" $reg$ $type$ |lookup local=t Org_Alias.csv OrgFolderName OUTPUT OrgName|search OrgName=$selected_value4$ | dedup _raw | stats values(OrgName) as "Org" by Name Email UserId UserName LicenseName LastLoginDateTime I have made my base search as this: index="abc" sourcetype="abc" $reg$ |lookup local=t Org_Alias.csv OrgFolderName OUTPUT OrgName| search OrgName=$OrgName$|rename OrgName as "Salesforce Org Name" But its not working can someone guide me here.  
Hi  Hope you are doing good.. I'm having a small query I want to check my license warning on my splunk with date I.e. On 26th of September we received 1 license warning. I'm using the below que... See more...
Hi  Hope you are doing good.. I'm having a small query I want to check my license warning on my splunk with date I.e. On 26th of September we received 1 license warning. I'm using the below query to get the total license warming I have on my splunk till now  | rest splunk_server=local /services/licenser/slaves | mvexpand active_pool_ids | where warning_count>0 | eval pool=active_pool_ids | join type=outer pool [rest splunk_server=local /services/licenser/pools | eval pool=title | fields pool stack_id] | eval in_violation=if(warning_count>4 OR (warning_count>2 AND stack_id=="free"),"yes","no") | fields label, title, pool, warning_count, in_violation | fields - _timediff | rename label as "Slave" title as "GUID" pool as "Pool" warning_count as "Hard Warnings" in_violation AS "In Violation?" Kindly guide me how can I get the license warning with date.   Thanks  
I have the following JSON object which contains certificates expreation date: {         "certificate-one.crt": 2022-11-11T16:00:00.000Z,         "certificate-two.crt": 2022-11-11T16:00:00.000Z }... See more...
I have the following JSON object which contains certificates expreation date: {         "certificate-one.crt": 2022-11-11T16:00:00.000Z,         "certificate-two.crt": 2022-11-11T16:00:00.000Z } I want to convert it to the following table: certificate name        |  expiration date  --------------------------|--------------------------------------- certificate-one.crt    |  2022-11-11T16:00:00.000Z --------------------------|--------------------------------------- certificate-two.crt    |  2022-11-11T16:00:00.000Z
I am getting the following message when I switch to the Visualization tab after a search: "Your search isn't generating any statistic or visualization results. Here are some possible ways to get re... See more...
I am getting the following message when I switch to the Visualization tab after a search: "Your search isn't generating any statistic or visualization results. Here are some possible ways to get results." This is coming from a universal forwarder installed on a Windows server. I was trying to graph the network interface stats. I know I am missing something to allow me to do this.  
I have an Adaptive Response Action (execute_flow in the pic below)  that requires certain identity data about the subject of the notable (mobile phone number).   Not all users have a mobile number se... See more...
I have an Adaptive Response Action (execute_flow in the pic below)  that requires certain identity data about the subject of the notable (mobile phone number).   Not all users have a mobile number set in ES identity. Currently,  I throw a failure event in Python for this condition.   Is it possible to return a warning status instead?  
Good afternoon Splunk ninjas, i will require your assistance in designing regex that will help me take the values inside of the [] brackets, my sample log line:   2022-09-23T13:20:25.765+01:00 [29]... See more...
Good afternoon Splunk ninjas, i will require your assistance in designing regex that will help me take the values inside of the [] brackets, my sample log line:   2022-09-23T13:20:25.765+01:00 [29] WARN Core.ErrorResponse - {} - Error message being sent to user with Http Status code: BadRequest: {"Details":[{"Code":50,"FieldName":"myfield","Message":"Please supply the value of my field","Detail":null}],"Message":"Sorry, we're unable to process your request. Please check your details and try again.","UserMessage":null,"Code":1,"Explanation":null,"Resolution":null,"Category":2}   I'm interested in filtering for the values of Details: code, FieldName, Message and Detail, many thanks for your help!
Hi. I'm trying to get only failed login attempts but while I could find the correct field, it's not as accurate as there might be a successful login after the session. The only way I can think of... See more...
Hi. I'm trying to get only failed login attempts but while I could find the correct field, it's not as accurate as there might be a successful login after the session. The only way I can think off to bypass this is to use "if" argument but I don't know how to involve "if" in SPL. Here's the fields I currently use: index=application sourcetype=globalscape cs_method="*user*" sc_status=530 - provides all failed logins. index=application sourcetype=globalscape cs_method="*pass*" sc_status=230 - provides all successful logins.   Thank you for assisting!
so i was trying to install a forwarder on the DC and i ran into this issue   here is the link to the log file since i cant figure out how to attach it here  https://drive.google.com/file/d/1j73adah... See more...
so i was trying to install a forwarder on the DC and i ran into this issue   here is the link to the log file since i cant figure out how to attach it here  https://drive.google.com/file/d/1j73adahjOwc52lE6Oxxi6lBzAFHpErK1/view?usp=sharing
<form> <fieldset submitButton="false"> <input type="time" token="tok_time"> <label>Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input id=... See more...
<form> <fieldset submitButton="false"> <input type="time" token="tok_time"> <label>Time</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input id="Reset" type="link" token="resetTokens" searchWhenChanged="true"> <label></label> <choice value="Reset">Reset</choice> <change> <condition value="Reset"> <unset token="tok_Time"></unset> <unset token="form.tok_Time"></unset> <set token="resetTokens">yes</set> <set token="form.resetTokens">yes</set> </condition> </change> </input> <html depends="$alwaysHideCSSOverride$"> <style> div[id^="Reset"] button{ width: 180px !important; background: rgb(192,192,192,1); padding: 10px; border-radius: 10px; color: Blue !important; } </style> </html> </fieldset> </form>
  Clara-fication: Customizing SimpleXML Dashboards With Inline CSS | Splunk" border="0">\0
 
We need a way for our custom add-on to include additional information from an alert into the cim_modactions log it writes when a failure happens.  The custom add-on's purpose is to create tickets in ... See more...
We need a way for our custom add-on to include additional information from an alert into the cim_modactions log it writes when a failure happens.  The custom add-on's purpose is to create tickets in a remote system with fields from the alert results.   Therefore, in the case of a failure to create a ticket in the remote system, it would be really helpful to know details of the alert results which failed to be sent.  We can then alert on cim_modactions in the case of action_staus=failure and be able to respond by resending that alert. (Ideally we would  modify the add on to be resilient and try to send again, however we do also need to know about these failures, because in the case of an outage on the remote side we would need to still konw what had failed to be sent) Ideally we would include the entire contents of the alert result in the cim_modactions index. As nearly as we can tell the "signature" field is often filled with contextual information.  Replacing that value may be an option for us if we can find a sensible way to do so.   I go into some more detail and specificity below.  The cim_modactions index is useful in determining whether a specific action has been successful or not at our client's environment.  We send the output of our Splunk alerts to an external ticketing system through an adding we built using the Splunk Add-on Builder | Splunkbase. For the sake of this question let's call the application we built the "ticketing system TA" and the corresponding sourcetype in cim_modifications, "modular_alerts:ticketing_system".  If we search using "index=cim_modactions sourcetype="modular_alerts:ticketing_system", we return all cim_modactions about the ticketing system We can know if an alert was successfully created in the remote system if we search on: "index=cim_modactions sourcetype="modular_alerts:ticketing_system" action_status=failure We get results like:   2022-10-01 09:25:29,179 ERROR pid=1894149 tid=MainThread file=cim_actions.py:message:431 | sendmodaction - worker="search_head_fqdn" signature="HTTPSConnectionPool(host='ticketing_system_fqdn', port=443): Max retries exceeded with url: /Ticketing/system/path/to/login (Caused by ProxyError('Cannot connect to proxy.', ConnectionResetError(104, 'Connection reset by peer')))" action_name="ticketing_system" search_name="Bad things might be happening" sid="scheduler__nobody_ZHNsYV91c2VfY2FzZXM__RMD5e17ae2c72132ca0f_at_1664615700_985" rid="14" app="app where search lives" user="nobody" digest_mode="0" action_mode="saved" action_status="failure" host = search_head_hostname source = /opt/splunk/var/log/splunk/ticketing_system_ta_modalert.logsourcetype = modular_alerts:ticketing_system     Notice that we get a helpful error about the reason for the failure, the search it happened during and the timestamp. Unfortunately this does not get us down to which alert or alerts failed to be sent.  In each of our searches we have a field which identified which remote application is logging. Let's call it client_application_id. If we could include that number, like client_application_id=#####, that would be a help. Even more helpful would be to include alert_result_text="<complete text of the payload being sent across to the remote system at the time of the failure>" We also noticed that if signature contains anything that looks like an assignment, then that assignment becomes a field.  for example in a few cases we actually do see client_applicaiton_id=#####, but these are few and not in the case of failures.  In these cases there is also   signature="client_application_id=#####" Any direction on solving this specific question or even a suggestion on an alternate approach would be much appreciated.