All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Topics

I tried accessing an API with the help of Splunk API Modular Input add on, but there is no option for bearer auth?

by in Splunk Search
‎09-13-2022 04:45 AM
‎09-13-2022 04:45 AM
I want to access an API and I can only use Bearer authentication to access that particular API. I searched a lot about splunk providing bearer auth. to access an API but could not find anything. Can ... See more...
I want to access an API and I can only use Bearer authentication to access that particular API. I searched a lot about splunk providing bearer auth. to access an API but could not find anything. Can anyone please help me to access an API with bearer authentication option.

Help with small CSV file indexing

by in Getting Data In
‎09-13-2022 04:12 AM
‎09-13-2022 04:12 AM
I am trying to index a small CSV file with 2 columns and Size -5.32 KB (5,453 bytes) , Size on Disk  - 8.00 KB (8,192 bytes) by Heavy Forwarder    on the forwarder I see that shows 0 files  ... See more...
I am trying to index a small CSV file with 2 columns and Size -5.32 KB (5,453 bytes) , Size on Disk  - 8.00 KB (8,192 bytes) by Heavy Forwarder    on the forwarder I see that shows 0 files    inputs.conf [monitor://\\ntnet\filestore1\information_security$\ACSC_Websense_Large_Web_Traffic_Exclusion_List\] disabled = 0 index = websense_large_web_traffic sourcetype = csv crcSalt = <SOURCE> initCrcLength = 512  
Labels

Why is Spunk search with index not working?

by in Alerting
‎09-13-2022 03:54 AM
‎09-13-2022 03:54 AM
Spunk search with index not working only "index=_configtracker" index is working

How can I enable inactive data models?

by in Splunk Enterprise
‎09-13-2022 02:22 AM
‎09-13-2022 02:22 AM
Morning all, I am new to Data Models and wanted some guidance of how I can enable some of the inactive ones. Is acceleration available after the Data Model is activated. I am confused with accelera... See more...
Morning all, I am new to Data Models and wanted some guidance of how I can enable some of the inactive ones. Is acceleration available after the Data Model is activated. I am confused with acceleration and how to enable a Data Model. I just want to enable our Endpoint Data Model as we are gaining logs from Universal Forwarder and Sysmon as well. Wanted to find some useful Endpoint use cases I can start using.   Any help much appreciated! Thank you!
Labels

How do I add Splunk base with docker?

by in Splunk Enterprise
‎09-13-2022 02:06 AM
‎09-13-2022 02:06 AM
Hi I am running my splunk app on a docker container. Is there any way to add via docker splunk addons (Webtools etc.)
Labels

How to combine three panels with one above and two below?

by in Dashboards & Visualizations
‎09-13-2022 01:50 AM
‎09-13-2022 01:50 AM
Hi, how can I combine 3 panels of different types into 1, as per the configuration below? The panel above is Single Value, bottom left is Pie Chart and bottom right is a Table. I need th... See more...
Hi, how can I combine 3 panels of different types into 1, as per the configuration below? The panel above is Single Value, bottom left is Pie Chart and bottom right is a Table. I need them as a singular panel, so that they can be adjusted and moved around easily. Can CSS be used to do this? Thanks.
Labels

Why are there strange characters in sourcetype?

by in Getting Data In
‎09-13-2022 01:41 AM
‎09-13-2022 01:41 AM
Our Splunk environment is producing many Windows eventlog entries with broken sourcetypes. When looking at the source log line, it's clear with no strangeness, but the sourcetype appears broken. ... See more...
Our Splunk environment is producing many Windows eventlog entries with broken sourcetypes. When looking at the source log line, it's clear with no strangeness, but the sourcetype appears broken. I've been through the deployment server inputs.conf and transforms.conf but can't see anything obvious. Is there anything I'm missing?  
Labels

Search Head Cluster push bundle is too slow after Splunk upgrade

by in Deployment Architecture
‎09-13-2022 01:39 AM
‎09-13-2022 01:39 AM
Search Head Cluster push bundle is too slow after splunk upgrade Bundle Push was so quick in my Splunk version 7.2.9, after upgrading to 8.2 it's taking more time to push the bundle to the cluster.
Labels

Why did splunk fail to install uf on windows2012 r2?

by in Getting Data In
‎09-13-2022 01:04 AM
‎09-13-2022 01:04 AM
my os is windows2012 R2, I try to install splunk uf 9.0.0.1. first, I uninstall old splunk UF 7.0.2 from "uninstall program", then clean registry. then I install new splunk UF 9.0.0.1. but it faile... See more...
my os is windows2012 R2, I try to install splunk uf 9.0.0.1. first, I uninstall old splunk UF 7.0.2 from "uninstall program", then clean registry. then I install new splunk UF 9.0.0.1. but it failed. the error is  MSI (s) (2C:28) [05:37:40:433]: Hello, I'm your 64bit Elevated Non-remapped custom action server. InstallRegmonDrv: Warning: Invalid property ignored: FailCA=. InstallRegmonDrv: Info: Driver inf file: C:\Program Files\SplunkUniversalForwarder\bin\splunkdrv.inf. InstallRegmonDrv: Info: Enter. Args: rundll32.exe, setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\SplunkUniversalForwarder\bin\splunkdrv.inf InstallRegmonDrv: Info: SystemPath is: C:\Windows\system32\ InstallRegmonDrv: Info: Execute string: C:\Windows\system32\cmd.exe /c "C:\Windows\system32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 128 C:\Program Files\SplunkUniversalForwarder\bin\splunkdrv.inf >> "C:\Users\ssu\AppData\Local\Temp\splunk.log" 2>&1" InstallRegmonDrv: Error: Failed to create process : 0x2 InstallRegmonDrv: Warning: Failed to install regmon driver. InstallRegmonDrv: Error 0x80004005: Cannot install regmon driver. CustomAction InstallRegmonDrv returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox) MSI (s) (2C:A0) [05:37:40:480]: Note: 1: 2265 2: 3: -2147287035 I try to run "sfc /scannow" and reboot server, it doesn't resolve my issue I also run "sfc.exe /verifyfile=%windir%\system32\difxapi.dll" and "sfc.exe /scanfile=%windir%\system32\difxapi.dll" . it also doesn't resolve my issue. What's the issue?  could you help to check my issue  
Labels

Log Pipeline Management - how to convert comma decimal to dot?

by in Getting Data In
‎09-13-2022 12:54 AM
‎09-13-2022 12:54 AM
Hi, May i know how to convert raw data (cookedvalue) from comma to dot using regex?  Raw Data in Log Observer "instanceName","cookedvalue" "services","87,8477154366277"   Result "instan... See more...
Hi, May i know how to convert raw data (cookedvalue) from comma to dot using regex?  Raw Data in Log Observer "instanceName","cookedvalue" "services","87,8477154366277"   Result "instanceName","cookedvalue" "services","87.8477154366277"
Labels

Help with drilldown from a timepicker between 2 dashboards

by in Splunk Enterprise
‎09-12-2022 09:31 PM
‎09-12-2022 09:31 PM
hello in my first dashboard, I use the timepicker below     <fieldset submitButton="false"> <input type="dropdown" token="period"> <label>Période</label> <choice value="1654... See more...
hello in my first dashboard, I use the timepicker below     <fieldset submitButton="false"> <input type="dropdown" token="period"> <label>Période</label> <choice value="1654466400.0">Lundi 6 Juin 2022</choice> <choice value="1655071200.0">Lundi 13 Juin 2022</choice> <choice value="1655676000.0">Lundi 20 Juin 2022</choice> <change> <eval token="debut">period</eval> <eval token="fin">debut+432000</eval> <eval token="debut_4w">relative_time(debut,"-4w")</eval> <eval token="fin_4w">relative_time(debut,"-0w")</eval> </change> <default>1655071200.0</default> <initialValue>1655071200.0</initialValue> </input>     Now, I need to retrieve the time choice done in the timepicker in an second dashboard So here is the link I use     <a href="/app/spl_pub/bp?form.period=$form.period$" target="_blank">Cliquez ici</a>     And in the second dashboard, I added this in each panel but it doesnt works     | search period=$form.period$      what is the problemplease?

How do I fix in curl requests: curl(77) error?

by in Splunk Enterprise
‎09-12-2022 08:53 PM
‎09-12-2022 08:53 PM
Problem Getting API data from an external service. Location script: /opt/splunk/etc/apps/statuscake/bin/statuscake.sh       #!/bin/bash curl https://api.statuscake.com/v1/pagespeed \ -H... See more...
Problem Getting API data from an external service. Location script: /opt/splunk/etc/apps/statuscake/bin/statuscake.sh       #!/bin/bash curl https://api.statuscake.com/v1/pagespeed \ -H "Authorization: Bearer secretkeyhere"       When running the curl command directly on Linux host, the output of command is working. When running the script.sh (see above) from the CLI (as splunk user) the output is working. When running the script by Splunk itself, the output shows only in splunkd.log :         09-13-2022 03:21:49.753 +0000 ERROR ExecProcessor [7634 ExecProcessor] - message from "/opt/splunk/etc/apps/statuscake/bin/statuscake_api.sh" \r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (77) Problem with the SSL CA cert (path? access rights?) 09-13-2022 03:21:49.649 +0000 ERROR ExecProcessor [7634 ExecProcessor] - message from "/opt/splunk/etc/apps/statuscake/bin/statuscake_api.sh" % Total % Received % Xferd Average Speed Time Time Time Current 09-13-2022 03:20:49.771 +0000 ERROR ExecProcessor [7634 ExecProcessor] - message from "/opt/splunk/etc/apps/statuscake/bin/statuscake_api.sh" \r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (77) Problem with the SSL CA cert (path? access rights?)         Tried already (without success) Updating ca-bundle on CentOS (curl points to right path). Updated Splunk cert. Trying to replicate, but curl and the script work without problems as long as they are not being triggered by Splunk.  

Which inbound/outbound ports should be opened to send data to HTTP Event Collector?

by in Getting Data In
‎09-12-2022 08:39 PM
‎09-12-2022 08:39 PM
Hello, I understand that the HTTP Event Collector receives data over HTTPS on TCP port 8088 by default. What i am wondering is if i have virtual machines running in the Azure cloud, do i need to ... See more...
Hello, I understand that the HTTP Event Collector receives data over HTTPS on TCP port 8088 by default. What i am wondering is if i have virtual machines running in the Azure cloud, do i need to open both inbound and outbound port 8088 in the Azure portal firewall settings? Also, I was hoping to disable HTTPS by clicking on the Global Settings button at the top of the HTTP Event Collector management page in Splunk Cloud, but i see that it's greyed out.  I am in the admin role so is this changeable?  
Labels

Data is not being registered by Universal Forwarder- Which part should I check?

by in Getting Data In
‎09-12-2022 07:55 PM
‎09-12-2022 07:55 PM
Data cannot be registered by Universal Forwarder. There are a total of 12 Universal Forwarders. Only one of these universal forwarders registers data. Even if I change crcSalt, the data cannot ... See more...
Data cannot be registered by Universal Forwarder. There are a total of 12 Universal Forwarders. Only one of these universal forwarders registers data. Even if I change crcSalt, the data cannot be registered. Which part should I check?   <setting> [monitor://D:\Splunk\iocheck\PMC*\PMC*.csv] disabled = 0  index = pmc host_segment = 3 sourcetype = pmc_iotable crcSalt = <SOURCE>
Labels

Why is WILDCARD in lookup not working?

by in Getting Data In
‎09-12-2022 06:42 PM
‎09-12-2022 06:42 PM
I am using splunk cloud. I would like to use the lookup file to find out if there is an IP corresponding to the blacklist, but only 10.50.88.22 is hit. [definition of lookup] WILDCARD (IP) [Con... See more...
I am using splunk cloud. I would like to use the lookup file to find out if there is an IP corresponding to the blacklist, but only 10.50.88.22 is hit. [definition of lookup] WILDCARD (IP) [Contents of lookupfile] IP 10.50.88.22 10.30.50.70 [Search statement] |makeresults format=csv data="IP 10.50.88.220 10.50.88.22 10.50.88.2" |lookup test.csv IP OUTPUT IP as list_IP |where list_IP IN(IP) |table IP list_IP If it works correctly, I want the following two to hit. 10.50.88.220 10.50.88.22 Referencing past questions and changing the lookup definition to the following did not work. WILDCARD (IP) Is my search statement wrong? Any advice would be greatly appreciated.
Labels

New Install of Splunk - Rollback occurs near the end of install negating install?

by in Installation
‎09-12-2022 03:35 PM
‎09-12-2022 03:35 PM
Brand new VM server.  Fresh copy of Splunk 9.0 install file.  Running installer with elevated privileges.   Selecting Domain Account option in wizard.  Account used is member of Domain Admins.  Accou... See more...
Brand new VM server.  Fresh copy of Splunk 9.0 install file.  Running installer with elevated privileges.   Selecting Domain Account option in wizard.  Account used is member of Domain Admins.  Account listed in Security Policy as member to Allow Login Locally. Generated log file for install but nothing in it shows a error.  All these were suggestions to look at if install is not working that I found online.  Yet, it still fails doing the install and does a rollback.  Any other suggestions?  Thanks
Labels

Best Practices for Building A Clustered Environment?

by in Alerting
‎09-12-2022 02:42 PM
‎09-12-2022 02:42 PM
Hello All, I have been tasked with building a clustered environment from scratch in PROD. This will be my first.  I have only practiced in a test environment and everything is usually good. But, I ... See more...
Hello All, I have been tasked with building a clustered environment from scratch in PROD. This will be my first.  I have only practiced in a test environment and everything is usually good. But, I would like to know any DOs and DONTs if any, or tips to be more successful. Secondly, Once am done and everything is running how do I connect the old environment to the new one and Transfer or copy rather the same alerts, reports, dashboards, and apps to the new site? Thanks for your help in advance.  

"Middle" parameter for stats command?

by in Splunk Search
‎09-12-2022 01:48 PM
‎09-12-2022 01:48 PM
Hi all!  We use stats commands to pull in data from our APIs. But, our APIs get called multiple times in a single session. This works well if you want to use the first or last API call, using first(... See more...
Hi all!  We use stats commands to pull in data from our APIs. But, our APIs get called multiple times in a single session. This works well if you want to use the first or last API call, using first(variable) or last(variable). However, we want to pull in the middle API call. Is there a way to do this? I realize there's no param for middle(variable), but I'm looking for possible alternatives. Any help would be much appreciated! index=conversation sourcetype="cui-orchestration-log" botId=123456 | stats first(experiments__40000) as treatment middle(case_number) as case_ID by sessionId  
Labels

Firewall logs ingest- What is causing spike in firewall data?

by in Splunk Search
‎09-12-2022 01:14 PM
‎09-12-2022 01:14 PM
My organization has a 10G a day data ingest subscription with splunk. Recently, every Tuesday,  our firewall data ingest will spike sending us over the 10G limit. How can I find out what is causing t... See more...
My organization has a 10G a day data ingest subscription with splunk. Recently, every Tuesday,  our firewall data ingest will spike sending us over the 10G limit. How can I find out what is causing this Tuesdays spike? Any suggestion will be appreciated. 

Regex help, using ^ character

by in Splunk Search
‎09-12-2022 12:47 PM
‎09-12-2022 12:47 PM
Hey,   I was trying to filter some search data in splunk using regex. I was able to figure the regex part. However when I try to input into splunk, i get an error.  Error in 'SearchParser': Missin... See more...
Hey,   I was trying to filter some search data in splunk using regex. I was able to figure the regex part. However when I try to input into splunk, i get an error.  Error in 'SearchParser': Missing a search command before '\'. Error at position '321' of search query 'search index=nessus [ search index=nessus ...{snipped} {errorcontext = <paths>^([\w]+[^\w\r\}'.   Splunk command : | rex field=pluginText (?<paths>^([\w]+[^\w\r\n]+){2}[\w]+) regex link : regex101: build, test, and debug regex
Labels