All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

A search is deferred if it cannot run because there are no search slots, but the schedule_window setting allows Splunk to wait for a slot to become available.  If no search slot opens up before the s... See more...
A search is deferred if it cannot run because there are no search slots, but the schedule_window setting allows Splunk to wait for a slot to become available.  If no search slot opens up before the schedule window closes then the search is skipped. A continued search is a continuous search (realtime_schedule=0) that could not be scheduled.  The scheduler will keep retrying the search and not skip it.
Hi, Need some help with the following JSON data. ModifiedProperties: [ [-] { [-] Name: Group.ObjectID NewValue: 111111-2222222-333333-444444 OldValue: } { [-] ... See more...
Hi, Need some help with the following JSON data. ModifiedProperties: [ [-] { [-] Name: Group.ObjectID NewValue: 111111-2222222-333333-444444 OldValue: } { [-] Name: Group.DisplayName NewValue: Group A OldValue: } { [-] Name: Group.WellKnownObjectName NewValue: OldValue: } ] I want to extract the 2nd set of values for each event such that Group.DisplayName can become a field in itself, e.g. Group.DisplayName.NewValue=A, Group.DisplayName.OldValue=B. But right now, default extraction is doing something like this     How can I create KV pairs for Group.DisplayName within this JSON array? I tried few combinations using spath but was not successful.   Thank you
Thank you for your answer! I have just been sent this information to the author. But I am also interested in another experience related to my case
Thank you PickleRick, I already got streamstats in my search query but got more results not only consecutive and I want isolate 3 consecutive results (see end of queary): | eval Description=cas... See more...
Thank you PickleRick, I already got streamstats in my search query but got more results not only consecutive and I want isolate 3 consecutive results (see end of queary): | eval Description=case(RML<104.008, "0", RML>108.425, "1", RML>=104.008, "OK", RML<=108.425, "OK") | eval Warning=case(Description==0, "LevelBreach", Description==1, "LevelBreach") | table LWL UWL RML | eval CR=if(RML<UWL,"0",if(RML>LWL,"1","0")) | accum CR AS ACC | streamstats window=3 reset_after="count=3" count
Something like this? https://community.splunk.com/t5/Splunk-Search/Removing-all-null-columns-from-stats-table/m-p/566579
Couldn't resolve host means precisely that - your system is unable to find IP for the name you've given in the request. Either you're providing curl with wrong hostname in the request URI or you're h... See more...
Couldn't resolve host means precisely that - your system is unable to find IP for the name you've given in the request. Either you're providing curl with wrong hostname in the request URI or you're having DNS problems in your infrastructure.
Your description is not very clear but you can either use if with eval to check if some complex condition is fulfilled like for example: | eval rule_type=if(like(rule_name,"MHE0%") OR like (rule_nam... See more...
Your description is not very clear but you can either use if with eval to check if some complex condition is fulfilled like for example: | eval rule_type=if(like(rule_name,"MHE0%") OR like (rule_name,"%AWS%"),"cloud","prem") (forget the actual logic, it's the syntax that's important here). or use the case() statement to form something of an ACL: | eval rule_type=case(like(rule_name,"%AWS%"),"cloud",like(rule_name,"MHE0%"),"onprem",1=1,"cloud default")  
Hard to say without knowing your base url. The error 10060 means your code can't connect to the destination server. Either you specified a wrong machine to connect to or you're having some network is... See more...
Hard to say without knowing your base url. The error 10060 means your code can't connect to the destination server. Either you specified a wrong machine to connect to or you're having some network issues. Can you connect manually to the API endpoint from the host you're running your code on?
Your explanation is a bit unclear but it looks like a job for the streamstats command with a window size of 3.
Hi Team, In a Dashboard we have 30 Panels, i want to do the pagination, lets take under page i should view 5 Panels, Pls help how to proceed/query for that. Below is the example, under 1st dot page... See more...
Hi Team, In a Dashboard we have 30 Panels, i want to do the pagination, lets take under page i should view 5 Panels, Pls help how to proceed/query for that. Below is the example, under 1st dot page I should view 5 panel, 2nd page should have 5 page so on.  
More words please. What exactly are you doing? What is the result and when it happens? Have you verified that the server is actually running? Are you connecting on a proper port? Did you verify netw... See more...
More words please. What exactly are you doing? What is the result and when it happens? Have you verified that the server is actually running? Are you connecting on a proper port? Did you verify network connectivity?
Most probably (I don't know this app so I'm writing from general experience with several apps) proxy server must be explicitly defined for a given modular input. So if there are no settings within th... See more...
Most probably (I don't know this app so I'm writing from general experience with several apps) proxy server must be explicitly defined for a given modular input. So if there are no settings within the app itself, you probably need to pester the autor of the app about it.
Dear Splunkers, I would like ask your advice in order to complete following search result. My table checks for consecutive level breaches events in window of 3 counts. ACC CR count 0 ... See more...
Dear Splunkers, I would like ask your advice in order to complete following search result. My table checks for consecutive level breaches events in window of 3 counts. ACC CR count 0 0 1 0 0 2 0 0 3 1 1 1 1 0 2 1 0 3 2 1 1 3 1 2 4 1 3         If there is a level breach CR column will change to 1 and the ACC column will change to upcoming number. Now I would like to create an alert if 3 consecutive levels breached as shown in bolded example in bold.  Can you suggest how to complete the query and display only 3 consecutive results so that I can create an Alert? Thank you
Hi, I can't connect in my splunk enterprise account, i am having this errore; connection failure And there is no way to recover the account , i need help please
Hello to everyone! I am in the process of trying to fetch vulnerability information from the national vulnerability database. I found an app that can do this task via API - this is NVD-CVE-Fetcher-... See more...
Hello to everyone! I am in the process of trying to fetch vulnerability information from the national vulnerability database. I found an app that can do this task via API - this is NVD-CVE-Fetcher-App. The app link is here: https://splunkbase.splunk.com/app/7121?ref=hub.metronlabs.com The problem is that using NAT isn't allowed in our organization, so I was forced to use a proxy. I tried to use a system proxy, but the application ignored the system setting and tried to access the API URL directly. So, two questions: 1. Did anyone try to use the NVD-CVE-Fetcher-App in the proxy-acess scenario? 2. Did anyone resolve a similar task using other approaches? For example, another app or handmade script
Hello, I ran the following code - from __future__ import print_function import urllib.request, urllib.parse, urllib.error import httplib2 from xml.dom import minidom baseurl = '<url>' userName =... See more...
Hello, I ran the following code - from __future__ import print_function import urllib.request, urllib.parse, urllib.error import httplib2 from xml.dom import minidom baseurl = '<url>' userName = '<username>' password = '<password>' searchQuery = <query> # Authenticate with server. # Disable SSL cert validation. Splunk certs are self-signed. serverContent = httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + '/services/auth/login', 'POST', headers={}, body=urllib.parse.urlencode({'username':userName, 'password':password}))[1] sessionKey = minidom.parseString(serverContent).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue # Remove leading and trailing whitespace from the search searchQuery = searchQuery.strip() # If the query doesn't already start with the 'search' operator or another # generating command (e.g. "| inputcsv"), then prepend "search " to it. if not (searchQuery.startswith('search') or searchQuery.startswith("|")): searchQuery = 'search ' + searchQuery print(searchQuery) # Run the search. # Again, disable SSL cert validation. print(httplib2.Http(disable_ssl_certificate_validation=True).request(baseurl + '/services/search/jobs','POST', headers={'Authorization': 'Splunk %s' % sessionKey},body=urllib.parse.urlencode({'search': searchQuery}))[1]) I get this error - "TimeoutError: [WinError 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond" Is my url format wrong? Thanks
Hello,  How can I get my eval case like to match all values  except a  specific value ? I have below values for a field called rule_name MMT01_windows_brute_force MMT02_linux_root_login MMT03... See more...
Hello,  How can I get my eval case like to match all values  except a  specific value ? I have below values for a field called rule_name MMT01_windows_brute_force MMT02_linux_root_login MMT03_Aws_guardduty_alert How to get eval to match everything except anything with AWS in the name ? I need to use wildcard % for the matching part because there r many matches but just exclude AWS ones. I  found a similar post here where the answer was to user AND! To exclude  But that syntax is no longer supported it seems. | eval rule_type= case(like(rule_name,"MHE0%"),onprem,cloud) Expected result: rule_type should end up having 2 values for MMT01 and 02  using a wildcard and MMT03 should be  considered as cloud
Hello, I send a GET request to Postman as follows - curl -u <username> -k https://<url>.net:8089/services/jobs/export -d search="<query>" Why does it fail? "Cloud Agent Error: Couldn't resolve hos... See more...
Hello, I send a GET request to Postman as follows - curl -u <username> -k https://<url>.net:8089/services/jobs/export -d search="<query>" Why does it fail? "Cloud Agent Error: Couldn't resolve host. Make sure the domain is publicly accessible or select a different agent." And a variation passes but while I add "-d output_mode csv" at the end, I do not get any csv. Where can I see the same result as I see inside Splunk (enterprise) i.e tabular output? Thanks
Hi,   I have a table with dynamic fields, some of these fields contain no value or NULL, how do I remove these fields when I dont know the field name beforehand?   The field names are never the s... See more...
Hi,   I have a table with dynamic fields, some of these fields contain no value or NULL, how do I remove these fields when I dont know the field name beforehand?   The field names are never the same so I cannot simply do | fields - name1, name2 etc..   Is there are way to remove every field containing no value in a table?
I am trying to ingest data from Cortex via API, the API works 100% but getting the following script errors in splunkd.log Also attached the log from my partners environment where we need to comple... See more...
I am trying to ingest data from Cortex via API, the API works 100% but getting the following script errors in splunkd.log Also attached the log from my partners environment where we need to complete the integration.  8-14-2024 10:30:27.459 +0200 ERROR ScriptRunner [12760 TcpChannelThread] - stderr from 'C:\Program Files\Splunk\bin\Python3.exe C:\Program Files\Splunk\bin\runScript.py execute':    return func(*args, **kwargs) 08-14-2024 10:30:28.269 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}: WARNING:root:Run function: get_password failed: Traceback (most recent call last): 08-14-2024 10:30:28.269 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:   File "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\splunk_ta_paloalto\aob_py3\solnlib\utils.py", line 153, in wrapper 08-14-2024 10:30:28.269 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:     return func(*args, **kwargs) 08-14-2024 10:30:28.269 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:   File "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\splunk_ta_paloalto\aob_py3\solnlib\credentials.py", line 137, in get_password 08-14-2024 10:30:28.269 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:     f"Failed to get password of realm={self._realm}, user={user}." 08-14-2024 10:30:28.269 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}: solnlib.credentials.CredentialNotExistException: Failed to get password of realm=__REST_CREDENTIAL__#Splunk_TA_paloalto#configs/conf-splunk_ta_paloalto_settings, user=proxy. 08-14-2024 10:30:28.269 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}: . 08-14-2024 10:30:28.361 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}: WARNING:root:Run function: get_password failed: Traceback (most recent call last): 08-14-2024 10:30:28.361 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:   File "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\splunk_ta_paloalto\aob_py3\solnlib\utils.py", line 153, in wrapper 08-14-2024 10:30:28.361 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:     return func(*args, **kwargs) 08-14-2024 10:30:28.361 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:   File "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\splunk_ta_paloalto\aob_py3\solnlib\credentials.py", line 137, in get_password 08-14-2024 10:30:28.361 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}:     f"Failed to get password of realm={self._realm}, user={user}." 08-14-2024 10:30:28.361 +0200 ERROR PersistentScript [20724 PersistentScriptIo] - From {"C:\Program Files\Splunk\bin\Python3.exe" "C:\Program Files\Splunk\etc\apps\Splunk_TA_paloalto\bin\Splunk_TA_paloalto_rh_settings.py" persistent}: solnlib.credentials.CredentialNotExistException: Failed to get password of realm=__REST_CREDENTIAL__#Splunk_TA_paloalto#configs/conf-splunk_ta_paloalto_settings, user=additional_parameters. Please advise.  Palo Alto Cortex XDR Palo Alto Networks Add-on for Splunk