Hi Splunkers! I wish to get data in a specific time range using earliest and latest command . I have checked with time picker events are there within the specified range. But when I am trying to r...
See more...
Hi Splunkers! I wish to get data in a specific time range using earliest and latest command . I have checked with time picker events are there within the specified range. But when I am trying to run a spl query its not working : I have tried with ISO format and custom format as shown below . When I use ISO format its giving error index=main sourcetype="access_combined_wcookie" earliest="2024-01-15T20:00:00" latest="2024-02-22T20:00:00" And when I use custom format as shown below its returning 0 events: index=main sourcetype="access_combined_wcookie" earliest="1/15/2024:20:00:00" latest="2/22/2024:20:00:00" Please help I want to do this using earliest and latest command only
Your lookup seems to contain wildcarded entries. How is Splunk supposed to know what hosts this should match (assuming you even have your lookup defined correctly with a wildcard match) if you have n...
See more...
Your lookup seems to contain wildcarded entries. How is Splunk supposed to know what hosts this should match (assuming you even have your lookup defined correctly with a wildcard match) if you have no events to match with?
Hi @k150 , in which app is there this dashboard? I suppose that you already installed the Splunk Common Information Model app (https://splunkbase.splunk.com/app/1621), is it true? Ciao. Giuseppe
First of all, you need to illustrate your data and corresponding lookup entries to prove that the output is incorrect. Otherwise it is just that your lookup has nothing matching raw event. Second, ...
See more...
First of all, you need to illustrate your data and corresponding lookup entries to prove that the output is incorrect. Otherwise it is just that your lookup has nothing matching raw event. Second, from a glance, it looks like your events uses lower case whereas your lookup values are in upper case. You need to ask yourself: Is this necessary? If it is necessary, does your lookup have case_sensitive_match=0? A second question you need to answer is: the lookup contains wildcards. Is the lookup set up with matchtype=WILDCARD(host)?
The document is saying that the splunkd_ui_access.log uses the Apache access.log common format. So, the same extraction is applied. It is unrelated to your use of Apache httpd. If you have more fi...
See more...
The document is saying that the splunkd_ui_access.log uses the Apache access.log common format. So, the same extraction is applied. It is unrelated to your use of Apache httpd. If you have more fields, you need to illustrate your data and point out where additional information can be extracted.
Figured it out. The kvstore is populated with my Python script, and I noticed that the "exception" field was written as a True/False boolean type. This would translate as 1 and 0 (number/integer) in ...
See more...
Figured it out. The kvstore is populated with my Python script, and I noticed that the "exception" field was written as a True/False boolean type. This would translate as 1 and 0 (number/integer) in Splunk search results, but the boolean type created issues for automatic lookups (for some reason it thought it was an indexed field). I changed this data type to integer in my script, and it fixed the problem.
Im trying to create some dashboards to make reading _internal logs easier. I'm trying to figure out what all for the fields we are getting in are. This Splunk Doc has the gist of what I am looking at...
See more...
Im trying to create some dashboards to make reading _internal logs easier. I'm trying to figure out what all for the fields we are getting in are. This Splunk Doc has the gist of what I am looking at, but we have more fields than that. In the doc it mentions something about apache and its logs, and whereas we do use apache, im not well versed in it enough to understand what i was looking at fully. I think we are adding in extracted fields, or adding in values in the processing that Splunk does. How can i track down what .conf file is adding the fields. Id like to have a better understanding of where these values come from. There are a lot more fields than the _raw logs seem to have. Like metadata.
This behaviour is typically a result of having both INDEXED_EXTRACTIONS as well as search-time extractions active. Can't say what your effective config is so don't know for sure why it's happening.
I request that there be the ability to create groups of users in enterprise security so that when you need to add them to an investigation you dont have go to through and select your whole team indiv...
See more...
I request that there be the ability to create groups of users in enterprise security so that when you need to add them to an investigation you dont have go to through and select your whole team individually, instead you can have group that have those people in them, like group IR and group SOC. If you have team of more than 3 people it gets old having to add them all individually. I would also request a notes section where you can place notes on the investigation for all collaborators to see.
Hi, I have a dashboard created in dashboard studio . This contains two drop downs (Country and State).. Both of them are interdependent on each otherc to display values and has default value set t...
See more...
Hi, I have a dashboard created in dashboard studio . This contains two drop downs (Country and State).. Both of them are interdependent on each otherc to display values and has default value set to * (All). When I select value from country dropdown , it loads its states in dropdown 2. But when I do the selection second time, Example - USA --> India. States will still have California in display. But on clicking states dropdown later,t I can see India related states with California as first value. Is there a way that dropdown selection can be reset automatically based on other dropdown value. Example, when I select USA , states of USA must be displayed in states dropdown. When I change selection from USA to India, states dropdown should be either All or first value of Indian state. Please help on this. Regards, PNV