All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Is It possible in splunk ITSI Maintenance window can we add cron schedule ?
Hello, I want the zoom to be replicated in all graphs generated with `Use Trellis Layout´.There are 10 timechart.. is there a way to do it using tokens? I have tried to do it through `Manage tok... See more...
Hello, I want the zoom to be replicated in all graphs generated with `Use Trellis Layout´.There are 10 timechart.. is there a way to do it using tokens? I have tried to do it through `Manage tokens on this dashboard´but I am not able. Has anyone got it??
Hello, we are using Splunk App for Salesforce in the Splunk Cloud environment. We noticed that the App through the saved search "Lookup - ACCOUNT_ID TO ACCOUNT_NAME" every week at midnight create... See more...
Hello, we are using Splunk App for Salesforce in the Splunk Cloud environment. We noticed that the App through the saved search "Lookup - ACCOUNT_ID TO ACCOUNT_NAME" every week at midnight creates a CSV file called "lookup_sfdc_accounts.csv", which in our case is populated with over 4 million lines and consequently the size of the files are nearly 500MB. The problem is that due to the size of this lookup, Splunk Cloud cannot replicate the bundle and the following message appears: The current bundle directory contains a large lookup file that might cause bundle replication fail. The path to the directory is [...]. We do not have the ability to filter events and reduce the size of the lookup. Has anyone been in the same situation? Is it possible to solve somehow, for example by migrating the lookup to KV Store? Any suggestions? The App is not directly supported by Splunk and I cannot find the developer's contacts to submit the case.
Tried accessing an API using bearer tokens TA-Webtools but I am getting SSL error as shown below. I tried verifyssl=false still I am getting the same error. Please help me solve this   ... See more...
Tried accessing an API using bearer tokens TA-Webtools but I am getting SSL error as shown below. I tried verifyssl=false still I am getting the same error. Please help me solve this   @jkat54 
Splunk cloud support unable to upgrade App #3720 (TA-MS_O365_Reporting) to version 2.0 due to badly package issue. Microsoft is going to retire the Legacy protocol<https://techcommunity.microsoft.com... See more...
Splunk cloud support unable to upgrade App #3720 (TA-MS_O365_Reporting) to version 2.0 due to badly package issue. Microsoft is going to retire the Legacy protocol<https://techcommunity.microsoft.com/t5/exchange-team-blog/basic-authentication-and-exchange-online-september-2021-update/ba-p/2772210> irrespective of its usage by 1st October 2022. By updating to version 2.0, then we are able to use OAuth instead.  Can app developer will get this addressed in the current add-on?
I push the logs to splunk using hec  method  using this end point "/services/collector" that index data showing in 1 MB in index manger but im search through the index the events are always showing "... See more...
I push the logs to splunk using hec  method  using this end point "/services/collector" that index data showing in 1 MB in index manger but im search through the index the events are always showing "0". only default configtracker events are showing.
Hi , My Job completes at 4AM,I need to set up a alert to monitor the job status 2 hours before the job completion time i.e. at 2 AM i should start checking the Job Status if it completed or not,So ... See more...
Hi , My Job completes at 4AM,I need to set up a alert to monitor the job status 2 hours before the job completion time i.e. at 2 AM i should start checking the Job Status if it completed or not,So starting from 2AM i should monitor and trigger the alert till the job is completed. I am using below query but it doesn't make sense and doesn't satisfies  my above condition. | makeresults | eval CurrentTime="05:00:00" | eval CurrentTimepoch=strptime(CurrentTime,"%H:%M:%S") | eval SLATIME="04:00:00" | eval SLATIMEepoch=strptime(SLATIME,"%H:%M:%S") | eval Diff=(SLATIMEepoch-CurrentTimepoch) | eval Duration=if(Diff<0, "-", "") + tostring(abs(Diff), "duration") | eval check1=case(Duration>="02:00:00" AND STATUS!=C,"Trigger",1=1,"Dont") Please help me how to capture specific time i.e. 2 AM and start checking the job status in the query?
Hi to all. I'm working at a startup company providing security solutions. I started research on how to integrate with Splunk, Splunk ES. for now, we choose to use the HEC method for delivering th... See more...
Hi to all. I'm working at a startup company providing security solutions. I started research on how to integrate with Splunk, Splunk ES. for now, we choose to use the HEC method for delivering the data into Splunk cloud. I wanted to ask some questions.  do i need to create an add-on?  to integrate with Splunk SE what are the actions, I need to do? I understand this is the flow of actions -  load data using the HEC, parse data normalizing them, eventually, load data in Data Models, if you don't load data In data Models, create your Correlation Searches using indexes. I'll  be happy if someone will be able to elaborate more about each topic and tell me if something is missing.    
What are the unique features in splunk compare to other tool ?    
I am using HEC to push the data to Splunk, and in the HEC we have a field Source, And the log which I am forwarding to Splunk too have a field name Source.  The issue I am facing is, that both the ... See more...
I am using HEC to push the data to Splunk, and in the HEC we have a field Source, And the log which I am forwarding to Splunk too have a field name Source.  The issue I am facing is, that both the source name gets merged and on each log, I can see the same, two values for the source. I don't want to change the field of my log, Is there a way I can change something on HEC?
Hi All, I have created a custom event which gives me data about the top running sqls. However, when I create an alert on it, it only gives me header information and not the event details. Can you pl... See more...
Hi All, I have created a custom event which gives me data about the top running sqls. However, when I create an alert on it, it only gives me header information and not the event details. Can you please help me understand how to get event details in email. Thanks.
Hi All,  What are our options if we are not content with the way a TA extracts fields out of our raw data ?  We  are seeing issues with the way AWS Add-on extracts the values for one of the log sour... See more...
Hi All,  What are our options if we are not content with the way a TA extracts fields out of our raw data ?  We  are seeing issues with the way AWS Add-on extracts the values for one of the log sources from AWS .  We are using the latest version of their TA as well.   What can we do from our side to correct the field extractions  ?   AWS Data comes in JSON format and one of the fields is messed up.
Hello, I have one indexer cluster that receives data over inputs.conf [splunktcp://9997]. I want to clone all data received by this indexer cluster on this port to another Splunk instance, which ... See more...
Hello, I have one indexer cluster that receives data over inputs.conf [splunktcp://9997]. I want to clone all data received by this indexer cluster on this port to another Splunk instance, which also listens on 9997. I understand this will double my license consumption. Current: UF --> Indexer (stores all data) Desire: UF --> Indexer (stores all data) --> Other Indexer (also stores all data) How can I clone all data received on 9997 from one indexer to another? Thanks
I'm trying to spit event into multiple events,my raw event like below <14>1 2022-09-14T12:49:12.620+08:00 TestServer mft 3491 SFTP Audit Log [gamft-sftp@46583 mftcommand="Connect" mftend_time="2022-... See more...
I'm trying to spit event into multiple events,my raw event like below <14>1 2022-09-14T12:49:12.620+08:00 TestServer mft 3491 SFTP Audit Log [gamft-sftp@46583 mftcommand="Connect" mftend_time="2022-09-14 12:49:12 PM" mftevent_type="Connection Successful" mftremote_ip="192.168.168.168" mftstart_time="2022-09-14 12:49:12 PM"]<14>1 2022-09-14T12:49:12.620+08:00 TestServer mft 3491 SFTP Audit Log [gamft-sftp@46583 mftcommand="Connect" mftend_time="2022-09-14 12:49:12 PM" mftevent_type="Connection Successful" mftremote_ip="192.168.168.168" mftstart_time="2022-09-14 12:49:12 PM"]<14>1 2022-09-14T12:49:12.727+08:00 TestServer mft 3491 SFTP Audit Log [gamft-sftp@46583 mftcommand="Login" mftend_time="2022-09-14 12:49:12 PM" mftevent_type="Login Successful" mftremote_ip="192.168.168.168" mftstart_time="2022-09-14 12:49:12 PM" mftuser_name="testuser"] -------------------------------------------------------------------- I want to split it into three events, how can I do this? <14>1 2022-09-14T12:49:12.620+08:00 TestServer mft 3491 SFTP Audit Log [gamft-sftp@46583 mftcommand="Connect" mftend_time="2022-09-14 12:49:12 PM" mftevent_type="Connection Successful" mftremote_ip="192.168.168.168" mftstart_time="2022-09-14 12:49:12 PM"] <14>1 2022-09-14T12:49:12.620+08:00 TestServer mft 3491 SFTP Audit Log [gamft-sftp@46583 mftcommand="Connect" mftend_time="2022-09-14 12:49:12 PM" mftevent_type="Connection Successful" mftremote_ip="192.168.168.168" mftstart_time="2022-09-14 12:49:12 PM"] <14>1 2022-09-14T12:49:12.727+08:00 TestServer mft 3491 SFTP Audit Log [gamft-sftp@46583 mftcommand="Login" mftend_time="2022-09-14 12:49:12 PM" mftevent_type="Login Successful" mftremote_ip="192.168.168.168" mftstart_time="2022-09-14 12:49:12 PM" mftuser_name="testuser"]
Hello Splunkers, I am seeing some some difference in setting up configurations (Configuration tab) in On-Prem vs Splunk Cloud for the Website Monitoring application. "Proxy Server" and "Proxy Ser... See more...
Hello Splunkers, I am seeing some some difference in setting up configurations (Configuration tab) in On-Prem vs Splunk Cloud for the Website Monitoring application. "Proxy Server" and "Proxy Server Authentication" configurations are both available in Splunk On-Prem which aren't in Splunk Cloud. Only the "Advanced" configuration shows in both platforms. Is anyone seeing the same? or Is this intended since the platform is Splunk Cloud? The context on this question is  doing an app migration to Splunk Cloud and observing the experience compared to On-Prem. Thinking if Proxy Server settings are not anymore needed for the application in Splunk Cloud. Thus this difference. Thanks in advance. Kind Regards, Ariel    
Hi all, I am trying to extract field ABDEF-999 in the name Id. But its not extracting when I use below commands. Could someone guide on what's the mistake in following rex. |rex field="line" "\... See more...
Hi all, I am trying to extract field ABDEF-999 in the name Id. But its not extracting when I use below commands. Could someone guide on what's the mistake in following rex. |rex field="line" "\"Testcode\":\"(?<id>[^\"]*)\""|table id   Extracting from =   \\\"Testcode\\\":\\\"ABDEF-999\\\"
Hello, Is there a feature roadmap available? I'm loving the new dashboard studio for designing some of the projects I'm working on, but sadly find it unusable due to lacking of several main feature... See more...
Hello, Is there a feature roadmap available? I'm loving the new dashboard studio for designing some of the projects I'm working on, but sadly find it unusable due to lacking of several main features (export to PDF and old drilldown options). Thanks!
Hello, I have a plan to upgrade spunk to version 9.* from 8.2, but we are using Splunk Universal Forwarder 7.1.0. Splunk enterprise will be compatible with Splunk Universal Forwarder 7.1.0 or do we... See more...
Hello, I have a plan to upgrade spunk to version 9.* from 8.2, but we are using Splunk Universal Forwarder 7.1.0. Splunk enterprise will be compatible with Splunk Universal Forwarder 7.1.0 or do we have to upgrade Splunk Universal Forwarder to version 9.*?
If I have a simple dashboard with a time range picker input, how can I add source code to convert the picker selection to a StartDate and EndDate token.  StartDate = strftime(earliest, %m/%d/%Y %H:%M... See more...
If I have a simple dashboard with a time range picker input, how can I add source code to convert the picker selection to a StartDate and EndDate token.  StartDate = strftime(earliest, %m/%d/%Y %H:%M:%S), EndDate=strftime(latest, %m/%d/%Y %H:%M:%S)   { "visualizations": { "viz_ZgRiQCoQ": { "type": "viz.column", "options": {}, "dataSources": { "primary": "ds_GHdtwfg5" } } }, "dataSources": { "ds_GHdtwfg5": { "type": "ds.search", "options": { "query": "index=_internal \n| top 100 sourcetype" }, "name": "Search_1" } }, "defaults": { "dataSources": { "global": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } }, "visualizations": { "global": { "showLastUpdated": true } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-24h@h,now" }, "title": "Global Time Range" } }, "layout": { "type": "absolute", "options": {}, "structure": [ { "item": "viz_ZgRiQCoQ", "type": "block", "position": { "x": 0, "y": 0, "w": 300, "h": 300 } } ], "globalInputs": [ "input_global_trp" ] }, "title": "Global time range picker", "description": "" }   And then be able to display StartDate and EndDate on the top of the dashboard, so if the user selects Last 24 hrs or Last 30 days - it can be displayed as 09/12/2022 - 09/13/2022 or 08/14/2022 - 09/13/2022?
Splunk HEC and iOS/HomeKit Shortcuts A number of years ago the PM for HEC happen to sit behind me at a conf keynote. Glenn leaned forward and said you’re going to love this. He was right, I fell in... See more...
Splunk HEC and iOS/HomeKit Shortcuts A number of years ago the PM for HEC happen to sit behind me at a conf keynote. Glenn leaned forward and said you’re going to love this. He was right, I fell in love with HEC right away.  Few months later I was giving him grief about where the HEC example code was for Python because the RaspberryPi universal forward was not getting love at the time. He replied it’s just JSON and Post just write it. So I did and made a HEC python class a number of folks still use. (GitHub - georgestarcher/Splunk-Class-httpevent: Python class to submit events to Splunk HTTP Event Collector) Recently, I was messing with a lot of iOS shortcuts (https://support.apple.com/guide/shortcuts/welcome/ios) automating things on my phone and my home. I wondered what if I posted JSON to the SplunkTrust (https://www.splunk.com/en_us/community/splunk-trust.html ) SpunkCloud instance. Could I do it easily and natively within shortcuts? The short answer is YES! You need to remember HEC was made by devs for devs. So you need only to decide a good JSON (Dictionary) payload that meets the HEC Events endpoint formatting. We bother with the raw endpoint because the Dictionary object is a native shortcuts thing. You will need a valid HEC receiver setup which is beyond the scope of this post. The HEC receiver will have to be reachable from the Internet such as SplunkCloud. You will need to have a valid HEC token and know the index. Here we just use main. You will have to look at the attached screen shots. I am not typing out every tap and step here. Shortcuts are visually self explanatory. IOS Shortcuts: Shortcuts have more power on iOS vs on HomeKit. So first we will cover the easy way on iOS. First you will want to make a new shortcut to act at your HEC Sender. This is so you can set it up once but run it from other shortcuts that have a well formed JSON event to send. Think python class/code reuse.   We receive text from input to the shortcut. This is what we receive when this shortcut is called by “Run Shortcut”  We store that in a variable “Hec Payload” We next store the Full URL to the Hec Events endpoint and the Hec Token in variables The finally trick is doing the POST action of the payload to the HEC receiver using the “Get contents of HTTP” Action. Note in the attached screen shot we change the action to post, set the header and use type of File for the JSON payload. Next let’s setup a shortcut that sends the data we want.  Here we make one to get the device name, other device information and log the battery level at the time. The key is making the Dictionary object for the HEC event payload.  Here is a drill down of that section. Last we automate the running of the data shortcut whenever we plug our device into power. To show it works like a champ: HomeKit: Now let’s say you want to log an event from a light coming on. HomeKit can execute some limited shortcut actions. These get executed on whatever your HomeKit hub turns out to be hence the limitation Such as an AppleTV 4K or HomePod. The limitation for us is there is no Run Shortcut action.  This means you have to make the JSON payload (dictionary) object and the HTTP action together in each automation. No easy setup the HEC send and call it as needed In this example we simply log when my mantle hue bulb comes on. This could be anything HomeKit can trigger off of such as a button press, motion, temperature etc. I won’t expand it all as they work the same way as our previous example. This just shows you have to build the payload and post action inside each HomeKit automation action. What is next? Well you can automate HEC post of any data that an iOS or HomeKit shortcut can see. Use your imagination for data that is of value to you.