All Topics

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Topics

Splunk Add-on for Microsoft Office 365 -- I'm unable to index files over 7 days old. Where can this configuration be changed in the Add-on? Splunk Add-on for Microsoft Office 365 Version: 2... See more...
Splunk Add-on for Microsoft Office 365 -- I'm unable to index files over 7 days old. Where can this configuration be changed in the Add-on? Splunk Add-on for Microsoft Office 365 Version: 2.0.2 Build: 1 Splunk Version:8.1.5
Hello Experts,   We have splunk DB connect inputs configured to fetch logs from DB tables based on SQL queries. In general for unstructured data we will apply below standard props.conf setting... See more...
Hello Experts,   We have splunk DB connect inputs configured to fetch logs from DB tables based on SQL queries. In general for unstructured data we will apply below standard props.conf settings as a best practice. TIME_FORMAT MAX_TIMESTAMP_LOOKAHEAD SHOULD_LINEMERGE LINE_BREAKER TRUNCATE TIME_PREFIX do we need to configure above settings for DB connect logs as well ? if yes what will be the suggested values. Please help me to understand this.
I hate to have a newbie question here but, I am deploying a Linux Splunk server with several windows workstations. The workstations show up in the forwarders area however, I cannot find the hostname ... See more...
I hate to have a newbie question here but, I am deploying a Linux Splunk server with several windows workstations. The workstations show up in the forwarders area however, I cannot find the hostname of the Linux server I am on. Do I need to include a forwarder on the splunk server? I have never worked at the application level with splunk before so I apologize if this is a silly question.
HI, I have a standalone server which is running on 9.0.0.1 version earlier. Now it got updated to latest version of 9.0.1.  After upgrade, the upgrade readiness app scans all the apps and it showed... See more...
HI, I have a standalone server which is running on 9.0.0.1 version earlier. Now it got updated to latest version of 9.0.1.  After upgrade, the upgrade readiness app scans all the apps and it showed 2 system config failed errors in Splunk Platform Compatibility Scan. Herewith attached the error snap. any idea on this to resolve. Thanks in advance  
I've 2 queries, 1 will give the the total no of events and the other will give the counts by error type. I'm trying to join the two queries so that I can get the percentage of each error type. Qu... See more...
I've 2 queries, 1 will give the the total no of events and the other will give the counts by error type. I'm trying to join the two queries so that I can get the percentage of each error type. Query 1: index=app  "ResponseLoggingFilter" "Operation" | stats count as Total_Transaction Query 2: index=app "ResponseLoggingFilter" "Operation"  NOT "OK" NOT "1041" | rex "(?:.+message\"\:\")(?<Error_Message>.+)(?:\"\,)" | stats count by Error_Message
Hi, How can I make both of these panels be the same height ?  
I need the count and count % to be reflected in Available and Not Available line with the value. Appreciate if i get an help  -  |eval Status = Status." : ".count
Hi Splunkers ,   Im trying to build a dashboard to capture all the triggered alerts with some custom actions to be applied for each alert Im trying to make a table with  Alert Name , Alert trig... See more...
Hi Splunkers ,   Im trying to build a dashboard to capture all the triggered alerts with some custom actions to be applied for each alert Im trying to make a table with  Alert Name , Alert triggered Time and Alerts results URL(which we actually get in an email when we enable  email notification) I would like to know how to get url for each triggered alert results and pass that into a dashbaord....so that users can view that results by clicking that link and take actions based on that    
My data looks as follows: host col2 ---- ---- A SUCCESS A ERROR B ERROR B SUCCESS B SUCCESS C ERROR Here is the desired output: host Total_rows_for_this_host Errors_fo... See more...
My data looks as follows: host col2 ---- ---- A SUCCESS A ERROR B ERROR B SUCCESS B SUCCESS C ERROR Here is the desired output: host Total_rows_for_this_host Errors_for_this_host ErrorPercentage ---- ------------------------ -------------------- -------------- A 2 1 50 B 3 1 33 C 1 1 100 For every host, we need to find the error percentage. What query could I use? Thank you.
Hello pls I have a problem with a search. if I run this search, it has inconsistent ingestion. Here is the search I ran: index=compare_items  if I put a time range of 60mins even 7days, I do no... See more...
Hello pls I have a problem with a search. if I run this search, it has inconsistent ingestion. Here is the search I ran: index=compare_items  if I put a time range of 60mins even 7days, I do not see results. But if I put 30days, I have like million events populated. Here is the error message I got from Splunk.: configuration for xyz/123/xxx/ took longer time than expected. This usually indicate problem with underlying storage performance.  can someone help me if you had similar experience. Thanks 
je ne parviens pas à installer Splunk dans ma machine virtuelle Ubuntu
Hi I am new to Splunk and looking to use it for analytics in place of Matomo. I have it gathering my logs and I can query them. However, I am trying to understand what benefits I would get from thi... See more...
Hi I am new to Splunk and looking to use it for analytics in place of Matomo. I have it gathering my logs and I can query them. However, I am trying to understand what benefits I would get from this add-on? Does it enrich the data or provide prebuilt queries/dashboards? Thanks
Hi Community,   I have these alerts on EDR and I want to create a correlation search to show these alerts on the Splunk   Found alert GnDump.exe was returned as Malware from the Fidelis San... See more...
Hi Community,   I have these alerts on EDR and I want to create a correlation search to show these alerts on the Splunk   Found alert GnDump.exe was returned as Malware from the Fidelis Sandbox Submission on endpoint HQ0S-IT-NAS.Jmcc2.local Found alert GnScript.exe was returned as Malware from the Fidelis Sandbox Submission on endpoint HQ0S-IT-NAS.Jmcc2.local
Hi, I'm doing prep work for my 8.2.6 upgrade to 9.0.1 and I have a couple of apps which are not listed as compatible with 9.0 in Splunkbase. These are: Splunk Datasets Add-on | Splunkbase Splunk S... See more...
Hi, I'm doing prep work for my 8.2.6 upgrade to 9.0.1 and I have a couple of apps which are not listed as compatible with 9.0 in Splunkbase. These are: Splunk Datasets Add-on | Splunkbase Splunk Secure Gateway - Get started with Splunk Secure Gateway - Splunk Documentation I note that in the Splunk docs for both of these apps that it indicates that they are built into Splunk.  My question is, should I delete these two from the etc/apps folder BEFORE I do the upgrade?
Not sure if anyone is using this script to pull logs from salesforce ecommerce, hoping to get some input from similar cases. URL: https://github.com/Pier1/sfcc-splunk-connector This script is ins... See more...
Not sure if anyone is using this script to pull logs from salesforce ecommerce, hoping to get some input from similar cases. URL: https://github.com/Pier1/sfcc-splunk-connector This script is installed on a server with a UF installed. I know the UF is pushing logs because I have other inputs.conf that's pushing logs to Splunk cloud. However in this case, the sfcc runs off a python script. That script runs okay on the server, however i'm not sure why the UF isn't forwarding it into Splunk.
Splunk Addon for Cisco ESA not working when installed on Splunk Cloud? I get this error message ("Oops. Page Not Found") when I try to open the App  
I need to calculate count of the good 15 minute intervals where (status code = 200 AND average response time < 300 milliseconds AND 99.99th percentile response time < 1500 milliseconds ) / the total ... See more...
I need to calculate count of the good 15 minute intervals where (status code = 200 AND average response time < 300 milliseconds AND 99.99th percentile response time < 1500 milliseconds ) / the total count of the intervals * 100. Could someone help. Where I already have status code and response time in two separate fields
My Query:  index=test sourcetype=true AND private AND beta |rex field=_raw "\[private]\s(?<category>\S+\s+\S+\s+\S+)" |dedup category, source|eval category=upper(category)| stats count by category ... See more...
My Query:  index=test sourcetype=true AND private AND beta |rex field=_raw "\[private]\s(?<category>\S+\s+\S+\s+\S+)" |dedup category, source|eval category=upper(category)| stats count by category |rename count as count1| appendcols [search index=test sourcetype=true AND private AND alpha |rex field=_raw "\[private]\s(?<category>\S+\s+\S+\s+\S+)" |dedup category, source|eval category=upper(category)| stats count by category |rename count as count2]| eval Total=(count1-count2) So when the 2nd query doesn't have any events i am not getting the Total column Current output if the 2nd search doesn't have any events: category      count1       xxxx                  5   Desired output: category      count1         count2     Total xxxx                  5                    0                  5
  This is the original link.  Anyone know where this has been moved to? http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F It describes all of the props.conf attributes and which... See more...
  This is the original link.  Anyone know where this has been moved to? http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings%3F It describes all of the props.conf attributes and which tier they are applicable to.
How do list multiple sources in a query: sourcetype=xml source="/wealthsuite/tti/current/*"?