All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, I am trying to get a list off all users that hit our AI rule and see if this increase or decrease over the timespan of 90 days. I want to see the application they use and see the last three month... See more...
Hi, I am trying to get a list off all users that hit our AI rule and see if this increase or decrease over the timespan of 90 days. I want to see the application they use and see the last three months display as columns with a count of amount of users. Example below Applications June(Month1) July(Month2) August(Month3) chatGPT 213 233 512   index=db_it_network sourcetype=pan* rule=g_artificial-intelligence-access | table user, app, date_month ```| dedup user, app, date_month``` | stats count by date_month, app | sort date_month, app 0 | rename count as "Number of Users" | table date_month, app, "Number of Users"
Hello everyone,  I have created dashboard that shows total log volumes for different sources across 7 days. I am using line chart and trellis. As shown in pic, I want to add median/average value... See more...
Hello everyone,  I have created dashboard that shows total log volumes for different sources across 7 days. I am using line chart and trellis. As shown in pic, I want to add median/average value of logs as horizonal red line. Is there a way to achieve it ? Final aim is to be able to observe pattern and median/avg log volumes of certain week that ultimately helps to define baseline of log volume for each source. below is the SPL I am using,   | tstats count as log_count where index=myindex AND hostname="colla" AND source=* earliest=--7d@d latest=now by _time, source | timechart span=1d sum(log_count) by source Any suggestions would be highly appreciated. Thanks
Hello @KendallW, Can you please help on a follow up question? In my case, I'm using HEC to get the logs in, the "source::" spec cannot distinguish the firewalls, can I use "host::" instead?
Thanks @richgalloway The solution worked .
I've been out of touch with Core Splunk for sometime, so just checking if there are options for below requirement Organisation is looking for RFP for various Big Data products and Organisation needs... See more...
I've been out of touch with Core Splunk for sometime, so just checking if there are options for below requirement Organisation is looking for RFP for various Big Data products and Organisation needs -  multi-cloud design for various applications. Application (and thus data) resides in AWS/Azure/GCP in multiple regions within Europe - Doesn't want to have lot of egress cost. So aggregating data into the cloud which Splunk was installed predominently is out of question. - The design is to have 'Data nodes' (Indexer clusters or Data clusters) in each of the application/data residing cloud providers - A Search Head cluster (Cross Cloud search) will be then spun in the main provider (eg AWS), which can then search ALL these remote 'Data nodes' Is this design feasible in Splunk? (I understand Mothership add-on, but my last encouter with it at enterprise scale was not that great) Looking for something like below with low latency
Yeah i got it, but is it possible to edit the HTML page? My goal is to change the URL so that when we click on the return to splunk, it takes us to customized URL @KendallW 
That error can have a few different causes. Check this post https://community.splunk.com/t5/Security/Why-does-Saml-response-not-contain-group-information/m-p/417494/highlight/true#M13278 
@yuanliu , I see the whole event in a single line when I search for that event and on the indexer I have Does this conflict with the following? trauncated, the actual number of lines in JSON fo... See more...
@yuanliu , I see the whole event in a single line when I search for that event and on the indexer I have Does this conflict with the following? trauncated, the actual number of lines in JSON format is around 959 Lines. So Is there any limit setting on the search head to analyze whole event? Could you elaborate, maybe with some real examples? (Anonymize as needed.)
index="_internal" source="*license_usage.log" type=RolloverSummary earliest=-30d@d latest=now | eval _time = _time - 43200 | bin _time span=1d | stats latest(b) AS b by slave,pool,_time | eval DailyG... See more...
index="_internal" source="*license_usage.log" type=RolloverSummary earliest=-30d@d latest=now | eval _time = _time - 43200 | bin _time span=1d | stats latest(b) AS b by slave,pool,_time | eval DailyGB=round(bytes/1024/1024/1024,2) | timechart sum(DailyGB) as "volume (GB)" span=1d @FrankVl The above gives me aggregated values across all the clusters.  How do I find out the usage per  indexers cluster? I have around 7-8 clusters. Any leads would be appreciated. Thanks
.
Hi @KendallW No I just want to update the SSO HTML file of this homepage.  
I have try to prompt with my email. To execute the requested action, deny or delegate, click here https://10.250.74.118:8443/approval/14. It need to enter the WEB UI and found the "certain" prompt.... See more...
I have try to prompt with my email. To execute the requested action, deny or delegate, click here https://10.250.74.118:8443/approval/14. It need to enter the WEB UI and found the "certain" prompt. If I have 10000 prompt, I can not found the event related to the email rapidly.  If it is possible that use rest api to post prompt decision to soar certain event?
Hi @ richgalloway  Thanks for the reply,The query looks good but I am missing  the below two fields  in the results. Can help in getting them populated. 1) | rex "status:\s+(?<Status>.*)\"}"  2) | ... See more...
Hi @ richgalloway  Thanks for the reply,The query looks good but I am missing  the below two fields  in the results. Can help in getting them populated. 1) | rex "status:\s+(?<Status>.*)\"}"  2) | rex "Path\:\s+(?<ResourcePath>.*)\"" 
That looks like it's the token setter JS from the dashboard examples. However, you have require(['jquery', 'underscore', 'splunkjs/mvc', 'util/console'], function($, _, mvc, console) { whereas the... See more...
That looks like it's the token setter JS from the dashboard examples. However, you have require(['jquery', 'underscore', 'splunkjs/mvc', 'util/console'], function($, _, mvc, console) { whereas the original is require(['jquery', 'underscore', 'splunkjs/mvc'], function($, _, mvc) { have you tried removing the util/console and console declarations  
Thanks for all the replies. Looks like there are 2 approaches to explore.  The foreach approach seems to work fine. I'd like to explore the other as well. Sorry for the response delay. I had PTO and ... See more...
Thanks for all the replies. Looks like there are 2 approaches to explore.  The foreach approach seems to work fine. I'd like to explore the other as well. Sorry for the response delay. I had PTO and some other things to do. 
Thanks much for your reply! I'm checking with the support if they can help to set props.conf on the backend, since we are using splunk cloud.
Hello  I have some issue getting the Windows performance -Velocity SD Service Counters logs. I used [perform://Velocity SD Service Counters] counter=* disable==0 instances=* object=Velocity SD ... See more...
Hello  I have some issue getting the Windows performance -Velocity SD Service Counters logs. I used [perform://Velocity SD Service Counters] counter=* disable==0 instances=* object=Velocity SD Service Counters mode=multikv showZeroValue=1 index=windows But not getting events. Any recommendation will be highly appreciated!  
Hi @Iris_Pi would it be feasible to specify the time zone using source stanzas in props.conf instead of sourcetype in this case? [source::] takes precedence over [<sourcetype>] in props.conf.   
Hi @Muthu_Vinith could you please clarify the question.. Do you want to on-board an SSO error file to Splunk?
Hello Pickle, thanks much for the help! I'm using the raw endpoint and I can set the host by using the host parameter now.