I set up an alert so that when it triggers it runs a script called test.bat (this is a windows environment) which is located in $SPLUNK_HOME/bin/scripts. The .bat script is just a one liner that says "echo hello"
splunkd.log shows this error when it tries to execute it:
*08-14-2018 17:09:07.268 -0700 ERROR script - sid:scheduler__jeff_search__RMD581e2e8e1bcfdf00c_at_1534291740_150 command="runshellscript", Script: C:\Program Files\Splunk\bin\scripts\test.bat exited with status code: 1*
This is how I have my alert setup (see picture) - any help is appreciated.
![alt text][1]
[1]: /storage/temp/255712-testbat.png
Hi all,
I have created a dashboard with a search parameter that grabs fields as per the chosen radio button. However, I want to make this a little user friendly so that the chosen field can display in either the Search Field or Search Panel Name.
Please view the attached image:
![alt text][1]
[1]: /storage/temp/255714-msp.png
Any help would be greatly appreciated! Thanks.
Hi,
I am looking for some help on how to remove the malformed expression error coming from the query below, many thanks for your time:
index="test" Policies=policy1 Destination=*@*
| rex max_match=0 field=Destination "(?[^@]+)@(?[^,\"\s\;]+)"
| search Comp [| inputlookup test.csv | fields suspicious]
| table ref Comp date_month
The test.csv has 'app' permissions and |inputlookup test.csv shows the data from the csv.
The rex command works without the search (it extracts domains from email addresses)
Job inspector has a comment of
info : No matching fields exist
Job search has this line:
WARN CalcFieldProcessor - Invalid eval expression for 'EVAL-url_length' in stanza [pan:threat]: The expression is malformed. Expected LIKE.
Hi,
On my search head Mongod is consuming most of my CPU.
**115786 splunk 20 0 40.4g 10.6g 10.5g S 93.8 68.3 7416:45 mongod**
81093 splunk 20 0 262404 96308 13996 S 6.2 0.6 0:03.92 splunkd
1 root 20 0 193856 4640 2876 S 0.0 0.0 3:31.64 systemd
Is this ok. If not please help me how to resolve this.
Thanks,
Om
Using the license usage tool in splunk (Settings->Licensing-ZUsage report) I can see all info on the today tab, but when I klick the Previous 30 days tab I get "no resoult found" in all searches.
Same with other license usage apps.
It did work all fine before upgrading from 6.1 to 7.0
Running windows based install. single server installation.
Any suggestions to some settings that I need to check to get this working again?
Want it to work before I upgrade to 7.1
Hi,
I am trying to add an icon or logo to the add-on that I am creating with Splunk add-on Builder App to be downloaded on Splunkbase before packaging it.
I could not find a documentation on this.
Can someone please guide me?
Thanks a lot!
I have a dashboard xml export from another app. the xml does not appear to be forrmatted as true xml using <> for some sections. in the sample code below I need the break on each section starting with chartdashlet (ie each section is an event). I have added the following line in the props.conf
BREAK_ONLY_BEFORE = (?m)^(tf:OffsetTimeframe?15:SECONDSkl4mtf:Last5Min
avg = 43.397125244140625
max = 43.397125244140625
measure = Memory Utilization
min = 43.397125244140625
name = CBOSYS_Application_Status
Any help is extremely appreciated
We are using Splunk Enterprise 7.1 on windows. I'm attempting to start splunk daemon unsuccessfully. Within splunkd.log I see this:
08-15-2018 15:23:29.835 -0700 INFO loader - Automatic migration of modular inputs
08-15-2018 15:23:40.742 -0700 INFO loader - win-service: Command pre-flight-checks ran successfully.
08-15-2018 15:23:42.007 -0700 ERROR loader - win-service: Error running check-xml-files (_pclose returned 2).
08-15-2018 15:23:42.023 -0700 ERROR loader - win-service: Here is the output from running check-xml-files:
08-15-2018 15:23:42.023 -0700 ERROR loader - C:\Program Files\Splunk\bin\Python.EXE: can't open file 'C:\Program Files\Splunk\Python-2.7\Lib\site-packages\splunk\clilib\cli.py': [Errno 13] Permission denied
08-15-2018 15:23:42.023 -0700 ERROR loader - <<<<< EOF (check-xml-files)
Any idea why startup fails with this error? NOTE: i have administrator rights on this box.
Thx
HI,
I am using a table command to print out _time, application, name and events generated by that application using table command.
The problem is events are long and it is crossing the page, need to first scroll down and then scroll horizontally to see the events, which is very cumbersome.
I want the table column to auto resize itself based on the content. I have tried changing table width and wordwrap in CSS, read all related answers, nothing seems to work.
I am new to CSS, below are the code snippets I tried.
Any help would be much appreciated.
.table td {
word-wrap: break-word;
width: 300px;
}
another way I tried -
.table tr td {
width: 70%;
}
Hi all,
I have created a dashboard with a search parameter that grabs fields as per the chosen radio button. However, I want to make this a little user friendly so that the chosen field can display in either the Search Field or Search Panel Name.
Please view the attached image:
![alt text][1]
[1]: /storage/temp/255714-msp.png
Any help would be greatly appreciated! Thanks.
I want to monitor the connection status of some network device, and I want to trigger an alert which the same source IP address access the device greater than 1000 per hour. How can I achieve this requirement?
Hello,
Here is my scenario server:
Splunk_A has index_a index_b and index_c
Splunk_B has Index_d index_e and index_f
Is it possible to copy only index_f from Splunk_B to Splunk_A and configure forwarding and receiving only for index_f on Splunk_B?
Hi all,
I am having an issue with a dashboard that I am working with. The values of the bucket I am using vary from 1 to ~800. Because of this, it makes it impossible to effectively convey the data using this visualization as seen in the attached picture. Has anyone found a way to better represent varying data sets or have any suggestions?
Thanks in advance
![alt text][1]
[1]: /storage/temp/254706-screen-shot-2018-08-15-at-90959-am.png
I need to pass data from Splunk to an external system based upon a triggered Alert.
Could I use the REST API to pass the JSON data or would a python script be a better approach?
Hi All,
We have a requirement where we are supposed to capture error from the logs using Splunk running on Windows 10 machine which will trigger a script to send the details to Netcool using snmp protocol version 3 from Windows 10 so that they can create tickets.
I refer to below link:
http://docs.splunk.com/Documentation/Splunk/6.3.12/Alert/SendingSNMPtrapstoothersystems
http://wiki.splunk.com/Community:Splunk_Alert_MIB
http://wiki.splunk.com/Community:Sending_SNMP_Traps_On_Windows
but was not able to get it worked. Also the script is using SNMP v2.
Also i was not able to installed NET-SNMP on Windows 10. Is there any exe file for 64 bit.
Can anyone please help me to resolve this issues?
I have an index which consists of 2 fields: name and id. When I created the dropdown, I made it base of name since it is easier for user to identify. But I really need the id as an input for my other searches. I thought I could achieve this by field for label and field for value but it doesn't work. What can I do to get the value of id but doesn't have to create a join for all of my other searches, since I already have a join in my search?
I have couple of different url patterns in my logs and I want to write a regex to extract different url patterns into a field and group the similar patterns together and display a chart . following are the sample url patterns i have in logs
search/anc/v1/item/country/China/sample/10
search/anc/v1/sample/list-sample
search/api/v1/samplelinks/country/china/state/10/Type/4
Following is the sample log event :-
1.10.137.68 1.10.17.12 - - [17/Ag/2018:7:8:34 +000] "POST search/anc/v1/item/country/China/sample/10 HTTP/1.1" 400 165 9 8
my current search query is as follows which is extracting all url from logs :-
search |rex "\s+\/(?uri_path\S+)" | chart count over uri_path by Date