All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

I want to enable client authentication. so I midify $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf [http] disabled = 0 enableSSL = 1 port = 56606 serverCert = /opt/splunk/cert/service... See more...
I want to enable client authentication. so I midify $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf [http] disabled = 0 enableSSL = 1 port = 56606 serverCert = /opt/splunk/cert/service.pem requireClientCert = true I have copy the certificate of my application (myapp.cert) into splunk server. How can I enable myapp.cert into splunk HEC
I want to create a Maintenance window in ITSI using cron schedule .  How I can do this one ? 
Hello Splunkers,   We had some trouble with notable events.  Long story short, by wanting edit one notable, something like 15,000 events has been updated instead.  Is there any way to rollbac... See more...
Hello Splunkers,   We had some trouble with notable events.  Long story short, by wanting edit one notable, something like 15,000 events has been updated instead.  Is there any way to rollback, and suppress the update done on the edited notable events?   Thanks in advance for your answer, Best Regards
Hi at all, I'm working with an Enterprise Security installation on Splunk Cloud. I have to ingest data from AWS and Azure, so I'm trying to use Data Manager, but this App isn't present in the Splun... See more...
Hi at all, I'm working with an Enterprise Security installation on Splunk Cloud. I have to ingest data from AWS and Azure, so I'm trying to use Data Manager, but this App isn't present in the Splunk Cloud installation. Is it an error to notice to the Splunk Support or is it normal having ES and I cannot use this App? Thanks to all. Ciao. Giuseppe
When I'm extracting 1 hr data, I'm able to get the results, but If I go more then 1 hr, it's getting timed out, my requirement to display 24 hrs data on dashboard, Is there any way I can optimize bel... See more...
When I'm extracting 1 hr data, I'm able to get the results, but If I go more then 1 hr, it's getting timed out, my requirement to display 24 hrs data on dashboard, Is there any way I can optimize below query? index=idx2 sourcetype=demographic | rex "\|Country_Code~(?<Country_Code>.*?)\|" | search Country_Code="*" | rex "Service~(?<Service>\w+)\|" | rex "Service_version~(?<Version>\d\.\d)\|" | rex"Response_Status~(?<Status>\w+)\|" | rex "Elapsed_Time~(?<response_time>\d+)\|" | rex "Consumer_Name~(?<Consumer_Name>\w+)\|" | rex "Response_Status_Code~(?<Response_Code>\d+)\|" | eval countSuccess=if(Response_Code==200 OR Response_Code==206 OR Response_Code==404 OR Response_Code==424 OR Response_Code==403 OR Response_Code==501,1,0) | eval countFailure=if(Response_Code==500 OR Response_Code==400,1,0) | eval CountTimeout=if(Response_Code==504,1,0) | stats values(Version) as Version count as Volume sum(countSuccess) as SuccessPerc sum(countFailure) as FailurePerc sum(CountTimeout) as TimieOutPerc avg(response_time) as AvgResp exactperc90(response_time) as "90% Resp (ms)" exactperc99(response_time) as "99% Resp (ms)" min(response_time) as "Min Resp (ms)" max(response_time) as "Max Resp (ms)" by Consumer_Name Service Country_Code | sort - Volume | eval AvgResp=round(AvgResp,2) | eval SuccessPerc=round((SuccessPerc/Volume)*100,2)."%" | eval FailurePerc=round((FailurePerc/Volume)*100,2)."%" | eval TimieOutPerc=round((TimieOutPerc/Volume)*100,2)."%" | rename AvgResp as "Avg Resp (ms)" SuccessPerc as "Success %" FailurePerc as "Failure %" TimieOutPerc as "Timeout %" | eval Volume=toString(Volume,"commas")
I am a fairly new to Splunk, and I am having a lot of trouble using the table lookups.   I have a lookup CSV table (team_info) that looks like this: team_id,active,group team_a,1,team a ops t... See more...
I am a fairly new to Splunk, and I am having a lot of trouble using the table lookups.   I have a lookup CSV table (team_info) that looks like this: team_id,active,group team_a,1,team a ops team_b,0,team b marketing team_c,1,team c netops   My search is extracting field using regex:   index="sys_alerts" | rex field="Message" "...<teamID>..." | eval app="Application A" | lookup team_info team_id as teamID OUTPUT active as active, group as group   When I run the search the teamID is being extracted successfully but I do not see the active or group fields in the events.   What am I doing wrong or missing?   Thanks in advance.
Hi, I'd like to change Notable Event row color or the color of any field in incident review dashboard to easily identify certain events. I played with "Advanced Edit" by setting display.visualiza... See more...
Hi, I'd like to change Notable Event row color or the color of any field in incident review dashboard to easily identify certain events. I played with "Advanced Edit" by setting display.visualizations.charting.fieldColors with no success as per the attached screen shot. Ahmed  
Hi Every one , I am able to add check boxes to the each row of the table using https://splunkbase.splunk.com/app/4362/. but here when i am browsing between two pages ,it is not working. example... See more...
Hi Every one , I am able to add check boxes to the each row of the table using https://splunkbase.splunk.com/app/4362/. but here when i am browsing between two pages ,it is not working. example : i selected 3 rows in first page  in second page i  selected 2 rows then from here i go back to first page . in first page i am not able to see selected 3 rows. can someone help me here? 
hello In a first dashboard, i use 2 dropdown list the first dropdown list concerns a relative time choice and the second dropdown list concern a site choice I need to retrieve in a second dashb... See more...
hello In a first dashboard, i use 2 dropdown list the first dropdown list concerns a relative time choice and the second dropdown list concern a site choice I need to retrieve in a second dashboard (there is also the same dropdown list in this dash)  the choice done from these 2 dropdown list by executing html link     <form> <label>TEST</label> <fieldset submitButton="false"> <input type="dropdown" token="period"> <label>Période</label> <choice value="1654466400.0">Lundi 6 Juin 2022</choice> <choice value="1655071200.0">Lundi 13 Juin 2022</choice> <choice value="1655676000.0">Lundi 20 Juin 2022</choice> <choice value="1656280800.0">Lundi 27 Juin 2022</choice> <change> <eval token="debut">period</eval> <eval token="fin">debut+432000</eval> <eval token="debut_4w">relative_time(debut,"-4w")</eval> <eval token="fin_4w">relative_time(debut,"-0w")</eval> </change> <default>1655071200.0</default> <initialValue>1655071200.0</initialValue> </input> <input type="dropdown" token="site" searchWhenChanged="true"> <label>Espace </label> <fieldForLabel>site</fieldForLabel> <fieldForValue>site</fieldForValue> <search> <query>`index_mes` | dedup site | table site | sort + site</query> <earliest>-7d@h</earliest> <latest>now</latest> </search> <choice value="*">*</choice> <default>*</default> <initialValue>*</initialValue> </input> </fieldset> <row> <panel> <html> <a href="/app/spl_pub/bpe?form.site=$form.site|u$&amp;form.period.earliest=$form.period$&amp;form.period.latest=$form.period$" target="_blank">Cliquez ici</a> </html> </panel> </row>     it works for the site by adding | search site="$form.site$"  in the second dashboard for every search but it doesnt works for the time so what is wrong in the html link and how to take into account the time choice done in the first dashboard in the second dashboard? thanks  
I want to access an API and I can only use Bearer authentication to access that particular API. I searched a lot about splunk providing bearer auth. to access an API but could not find anything. Can ... See more...
I want to access an API and I can only use Bearer authentication to access that particular API. I searched a lot about splunk providing bearer auth. to access an API but could not find anything. Can anyone please help me to access an API with bearer authentication option.
I am trying to index a small CSV file with 2 columns and Size -5.32 KB (5,453 bytes) , Size on Disk  - 8.00 KB (8,192 bytes) by Heavy Forwarder    on the forwarder I see that shows 0 files  ... See more...
I am trying to index a small CSV file with 2 columns and Size -5.32 KB (5,453 bytes) , Size on Disk  - 8.00 KB (8,192 bytes) by Heavy Forwarder    on the forwarder I see that shows 0 files    inputs.conf [monitor://\\ntnet\filestore1\information_security$\ACSC_Websense_Large_Web_Traffic_Exclusion_List\] disabled = 0 index = websense_large_web_traffic sourcetype = csv crcSalt = <SOURCE> initCrcLength = 512  
Spunk search with index not working only "index=_configtracker" index is working
Morning all, I am new to Data Models and wanted some guidance of how I can enable some of the inactive ones. Is acceleration available after the Data Model is activated. I am confused with accelera... See more...
Morning all, I am new to Data Models and wanted some guidance of how I can enable some of the inactive ones. Is acceleration available after the Data Model is activated. I am confused with acceleration and how to enable a Data Model. I just want to enable our Endpoint Data Model as we are gaining logs from Universal Forwarder and Sysmon as well. Wanted to find some useful Endpoint use cases I can start using.   Any help much appreciated! Thank you!
Hi I am running my splunk app on a docker container. Is there any way to add via docker splunk addons (Webtools etc.)
Hi, how can I combine 3 panels of different types into 1, as per the configuration below? The panel above is Single Value, bottom left is Pie Chart and bottom right is a Table. I need th... See more...
Hi, how can I combine 3 panels of different types into 1, as per the configuration below? The panel above is Single Value, bottom left is Pie Chart and bottom right is a Table. I need them as a singular panel, so that they can be adjusted and moved around easily. Can CSS be used to do this? Thanks.
Our Splunk environment is producing many Windows eventlog entries with broken sourcetypes. When looking at the source log line, it's clear with no strangeness, but the sourcetype appears broken. ... See more...
Our Splunk environment is producing many Windows eventlog entries with broken sourcetypes. When looking at the source log line, it's clear with no strangeness, but the sourcetype appears broken. I've been through the deployment server inputs.conf and transforms.conf but can't see anything obvious. Is there anything I'm missing?  
Search Head Cluster push bundle is too slow after splunk upgrade Bundle Push was so quick in my Splunk version 7.2.9, after upgrading to 8.2 it's taking more time to push the bundle to the cluster.
my os is windows2012 R2, I try to install splunk uf 9.0.0.1. first, I uninstall old splunk UF 7.0.2 from "uninstall program", then clean registry. then I install new splunk UF 9.0.0.1. but it faile... See more...
my os is windows2012 R2, I try to install splunk uf 9.0.0.1. first, I uninstall old splunk UF 7.0.2 from "uninstall program", then clean registry. then I install new splunk UF 9.0.0.1. but it failed. the error is  MSI (s) (2C:28) [05:37:40:433]: Hello, I'm your 64bit Elevated Non-remapped custom action server. InstallRegmonDrv: Warning: Invalid property ignored: FailCA=. InstallRegmonDrv: Info: Driver inf file: C:\Program Files\SplunkUniversalForwarder\bin\splunkdrv.inf. InstallRegmonDrv: Info: Enter. Args: rundll32.exe, setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\SplunkUniversalForwarder\bin\splunkdrv.inf InstallRegmonDrv: Info: SystemPath is: C:\Windows\system32\ InstallRegmonDrv: Info: Execute string: C:\Windows\system32\cmd.exe /c "C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\SplunkUniversalForwarder\bin\splunkdrv.inf >> "C:\Users\ssu\AppData\Local\Temp\splunk.log" 2>&1" InstallRegmonDrv: Error: Failed to create process : 0x2 InstallRegmonDrv: Warning: Failed to install regmon driver. InstallRegmonDrv: Error 0x80004005: Cannot install regmon driver. CustomAction InstallRegmonDrv returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) MSI (s) (2C:A0) [05:37:40:480]: Note: 1: 2265 2: 3: -2147287035 I try to run "sfc /scannow" and reboot server, it doesn't resolve my issue I also run "sfc.exe /verifyfile=%windir%\system32\difxapi.dll" and "sfc.exe /scanfile=%windir%\system32\difxapi.dll" . it also doesn't resolve my issue. What's the issue?  could you help to check my issue  
Hi, May i know how to convert raw data (cookedvalue) from comma to dot using regex?  Raw Data in Log Observer "instanceName","cookedvalue" "services","87,8477154366277"   Result "instan... See more...
Hi, May i know how to convert raw data (cookedvalue) from comma to dot using regex?  Raw Data in Log Observer "instanceName","cookedvalue" "services","87,8477154366277"   Result "instanceName","cookedvalue" "services","87.8477154366277"
hello in my first dashboard, I use the timepicker below     <fieldset submitButton="false"> <input type="dropdown" token="period"> <label>Période</label> <choice value="1654... See more...
hello in my first dashboard, I use the timepicker below     <fieldset submitButton="false"> <input type="dropdown" token="period"> <label>Période</label> <choice value="1654466400.0">Lundi 6 Juin 2022</choice> <choice value="1655071200.0">Lundi 13 Juin 2022</choice> <choice value="1655676000.0">Lundi 20 Juin 2022</choice> <change> <eval token="debut">period</eval> <eval token="fin">debut+432000</eval> <eval token="debut_4w">relative_time(debut,"-4w")</eval> <eval token="fin_4w">relative_time(debut,"-0w")</eval> </change> <default>1655071200.0</default> <initialValue>1655071200.0</initialValue> </input>     Now, I need to retrieve the time choice done in the timepicker in an second dashboard So here is the link I use     <a href="/app/spl_pub/bp?form.period=$form.period$" target="_blank">Cliquez ici</a>     And in the second dashboard, I added this in each panel but it doesnt works     | search period=$form.period$      what is the problemplease?