All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

You can use a tool like https://www.nirsoft.net/utils/simple_wmi_view.html to verify your WQL.
OK. Different retention periods is a valid reason for distributing data between different indexes. The caveat with splitting data this way is that while configuration like [mysourcetype] TRANSFORM... See more...
OK. Different retention periods is a valid reason for distributing data between different indexes. The caveat with splitting data this way is that while configuration like [mysourcetype] TRANSFORMS-redirect=redirect_to_index1,redirect_to_index2,redirect_to_index3... is valid, you have to remember that all transforms will be called for each event. So Splunk will try to match each of the regexes contained withih every transform to each event. The more indexes you want to split to, the more work the indexer (or HF, depending on where you put this config) will have to do. Additional question - where are you getting the data from? Maybe it would be better to split the event stream before it's hitting Splunk.
I tried with the WQL that is there in Splunk App for Windows default. It is giving the same error.   i am using WMI because I want to fetch the near real time resource consumption wrt services runn... See more...
I tried with the WQL that is there in Splunk App for Windows default. It is giving the same error.   i am using WMI because I want to fetch the near real time resource consumption wrt services running on windows. That information is not coming via Perfmon.
I am using two stats, 1. 1st stats has some fields filtered by _time        | stats count(totalResponseTime) as TotalTrans by Product URI methodName _time 2. 2nd stats has some fields filtered wit... See more...
I am using two stats, 1. 1st stats has some fields filtered by _time        | stats count(totalResponseTime) as TotalTrans by Product URI methodName _time 2. 2nd stats has some fields filtered without time     | stats sum(TS>3S) As AvgImpact       count(URI) as DataOutage by Product URI Method  I want the both stats fields to be displayed in the result. for.eg , | fields TotalTrans Product URI Method AvgImpact DataOutage   How can I achieve this ?
I have a deployment where multiple computers are sending logs to a WEF server using WEF(windows event forwarding). I tried to map ComputerName field to host name field but failed to do so. Now I wan... See more...
I have a deployment where multiple computers are sending logs to a WEF server using WEF(windows event forwarding). I tried to map ComputerName field to host name field but failed to do so. Now I want to create an alert if any of the computer is not sending logs to splunk. how can i do so.   The method defined by splunk is based on index,host and sourcectype field, which will remain same for all computers in our case.
https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/modinputsoverview/ https://docs.splunk.com/Documentation/Splunk/latest/Data/Getdatafromscriptedinputs Writing a custo... See more...
https://dev.splunk.com/enterprise/docs/developapps/manageknowledge/custominputs/modinputsoverview/ https://docs.splunk.com/Documentation/Splunk/latest/Data/Getdatafromscriptedinputs Writing a custom script would be of course up to you. Monitoring an intermediate file is just normal file ingestion so nothing extraordinary.
Please find my answers in bold.   Do you need an alert if there has been a problem which has not been recovered within 15 minutes in your data even if it was recovered after 16 minutes or later? If... See more...
Please find my answers in bold.   Do you need an alert if there has been a problem which has not been recovered within 15 minutes in your data even if it was recovered after 16 minutes or later? If the PROBLEM alert is not RECOVERED after 15minutes, we need to trigger a script. Are you only interested in whether the last problem (without a recovery) was over 15 minutes ago? YES Can you get multiple problems (without recovery) events for the same problem? Yes, I am running this on edge nodes which are limited hosts. It could be multiple hosts as well. Does the 15 minutes start when the PROBLEM event for the latest PROBLEM first occurs? YES Does the 15 minutes start when the PROBLEM event for the latest PROBLEM last occurs? NO How far back are you looking for these events? last 30 minutes How often are you looking for these events? Every 15 minutes     Can you check below snippet as well,    
The error says it all. The wql parameter needs a valid WQL query to retrieve the data. Yours is not a proper WQL query. BTW, why are you using WMI? This is one of the worst ways of getting data from... See more...
The error says it all. The wql parameter needs a valid WQL query to retrieve the data. Yours is not a proper WQL query. BTW, why are you using WMI? This is one of the worst ways of getting data from Windows.
Please clarify your requirements. Do you need an alert if there has been a problem which has not been recovered within 15 minutes in your data even if it was recovered after 16 minutes or later? Ar... See more...
Please clarify your requirements. Do you need an alert if there has been a problem which has not been recovered within 15 minutes in your data even if it was recovered after 16 minutes or later? Are you only interested in whether the last problem (without a recovery) was over 15 minutes ago? Can you get multiple problems (without recovery) events for the same problem? Does the 15 minutes start when the PROBLEM event for the latest PROBLEM first occurs? Does the 15 minutes start when the PROBLEM event for the latest PROBLEM last occurs? How far back are you looking for these events? How often are you looking for these events?
Or only the data manager will be the only solution for this kind of input?
Hi, I met an input issue about s3, which stays not in a aws security lake. Is that possible to use Splunk addon for aws to ingest s3 bucket with parquet formatted files?   
Thanks for the response any reference link to achieve the same would be helpful.
Hi, Apologies if I'm using the wrong terminology here. I'm trying to configure SC4S to override the destination indexes of types of sources. For example, if an event is received from a Cisco firewa... See more...
Hi, Apologies if I'm using the wrong terminology here. I'm trying to configure SC4S to override the destination indexes of types of sources. For example, if an event is received from a Cisco firewall by default it'll end up in the 'netfw' index. Instead, I want all events that would have gone to 'netfw' to go to, for example, 'site1_netfw'. I attempted to do this using the splunk_metadata.csv file but I now understand I've misinterpreted the documentation. I had used 'netfw,index,site1_netfw' but if I understand correctly, I'd actually need to have a seperate line for each key such as 'cisco_asa,index,site1_netfw'. Is that correct? Is there a way to accomplish what I want without listing each source key? Thanks
Perfect, just to fast-track the process of getting service KPI ids we can use "service_kpi_lookup" to find kpi_id and directly search using that id in saved searches to spot KPI base search. | input... See more...
Perfect, just to fast-track the process of getting service KPI ids we can use "service_kpi_lookup" to find kpi_id and directly search using that id in saved searches to spot KPI base search. | inputlookup service_kpi_lookup | search title="your_service_name"  
HI  Can you please let me know how we can combine the outputs of multiple searches into a single field??  For example :  We need a single output for the below 2 searches:  Search1 :  `macro... See more...
HI  Can you please let me know how we can combine the outputs of multiple searches into a single field??  For example :  We need a single output for the below 2 searches:  Search1 :  `macro_events_all_win_ops_esa` sourcetype=WinHostMon host=P9TWAEVV01STD (TERM(Esa_Invoice_Processor) OR TERM(Esa_Final_Demand_Processor) OR TERM(Esa_Initial_Listener_Service) OR TERM(Esa_MT535_Parser) OR TERM(Esa_MT540_Parser) OR TERM(Esa_MT542_Withdrawal_Request) OR TERM(Esa_MT544_Parser) OR TERM(Esa_MT546_Parser) OR TERM(Esa_MT548_Parser) OR TERM(Esa_SCM Batch_Execution) OR TERM(Euroclear_EVIS_Border_Internal) OR TERM(EVISExternalInterface)) | stats latest(State) as Current_Status by service | where Current_Status != "Running" | stats count as count_of_stopped_services | eval status = if(count_of_stopped_services = 0 , "OK" , "NOK" ) | table status Search2 :  `macro_events_all_win_ops_esa` host="P9TWAEVV01STD" sourcetype=WinEventLog "Batch *Failed" System_Exception="*" | stats count as count_of_failed_batches | eval status = if(count_of_failed_batches = 0 , "OK" , "NOK" ) | table status Output :  If status for the search1 and status for the search2 is OK, then output should be OK.  If status for the search1 or status for the search2 is NOK, then output should be NOK.   
Please find my answers in BOLD Do you need an alert if there has been a problem which has not been recovered within 15 minutes in your data even if it was recovered after 16 minutes or are you just ... See more...
Please find my answers in BOLD Do you need an alert if there has been a problem which has not been recovered within 15 minutes in your data even if it was recovered after 16 minutes or are you just interested in whether the last problem (without a recovery) was over 15 minutes ago? YES Can you get multiple problems (without recovery) events for the same problem i.e. do you need to know when the latest (or any) problem started (and whether it was fixed within 15 minutes)? CORRECT
{"Time":"2024-07-29T08:18:22.6471555Z","Level":"Info","Message":"Targeted Delivery","Domain":"NA","ClientDateTime":"2024-07-29T08:18:21.703Z","SecondsFromStartUp":2,"UserAgent":"Mozilla/5.0 (Linux; A... See more...
{"Time":"2024-07-29T08:18:22.6471555Z","Level":"Info","Message":"Targeted Delivery","Domain":"NA","ClientDateTime":"2024-07-29T08:18:21.703Z","SecondsFromStartUp":2,"UserAgent":"Mozilla/5.0 (Linux; Android 9; Redmi Note 8 Pro Build/PPR1.180610.011; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/127.0.6533.64 Mobile Safari/537.36 ,"Metadata":{"Environment":"Production"}}
Hello, I am currently using Splunk UF 7.2 on a Windows Server, and my UF is configured on D Drive. I am getting below error message in splunkd.log: 07-29-2024 09:07:25.343 +0100 ERROR ExecProcesso... See more...
Hello, I am currently using Splunk UF 7.2 on a Windows Server, and my UF is configured on D Drive. I am getting below error message in splunkd.log: 07-29-2024 09:07:25.343 +0100 ERROR ExecProcessor -message from ""D:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: Win32_Service | SELECT Name, Caption, State, Status, StartMode, StartName, PathName Description) 07-29-2024 09:07:25.343 +0100 ERROR ExecProcessor - message from ""D:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"" WMI - Error occurred while trying to retrieve results from a WMI query (error="Query was not syntactically valid." HRESULT=80041017) (root\cimv2: Win32_PerfFormattedData_PerfProc_Process | SELECT Name, PSComputerName, WorkingSetPrivate, IDProcess, PercentProcessorTime)"   $SPLUNK_HOME\etc\system\local\ inputs.conf: [default] host = <hostname> [script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path] disabled = 0   wmi.conf: [settings] initial_backoff = 5 max_backoff = 20 max_retries_at_max_backoff = 2 checkpoint_sync_interval = 2 [WMI:LocalProcesses] interval = 20 wql = Win32_PerfFormattedData_PerfProc_Process | SELECT Name, PSComputerName, WorkingSetPrivate, IDProcess, PercentProcessorTime disabled = 0 [WMI:Service] interval = 86400 wql = Win32_Service | SELECT Name, Caption, State, Status, StartMode, StartName, PathName Description   Can someone please help? I am not using Splunk Add On For Windows.
Do you need an alert if there has been a problem which has not been recovered within 15 minutes in your data even if it was recovered after 16 minutes or are you just interested in whether the last p... See more...
Do you need an alert if there has been a problem which has not been recovered within 15 minutes in your data even if it was recovered after 16 minutes or are you just interested in whether the last problem (without a recovery) was over 15 minutes ago? Can you get multiple problems (without recovery) events for the same problem i.e. do you need to know when the latest (or any) problem started (and whether it was fixed within 15 minutes)?
Hello @yuanliu, Yes, but often I encounter events like this (just an example) 01/01/2014 11:10:38 AM LogName=Security EventCode=4625 EventType=0 ComputerName=TestY SourceName=Microsoft Windows secu... See more...
Hello @yuanliu, Yes, but often I encounter events like this (just an example) 01/01/2014 11:10:38 AM LogName=Security EventCode=4625 EventType=0 ComputerName=TestY SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=2746 Keywords=Échec de l’audit TaskCategory=Ouverture de session  OpCode=Informations Message= Echec d'ouverture de session d'un compte. Sujet : ID de sécurité : S-0 Nom du compte : - Domaine du compte : - ID d’ouverture de session : 0x0 Type d’ouverture de session : 3 Compte pour lequel l’ouverture de session a échoué : ID de sécurité : S-0 Nom du compte : Albert Domaine du compte : - When I try to display the logs in statistics, it shows one event with a user (-) and another event with a user (Albert), even though it is a single event. This happens because it extracts the account name in the "Subject" section and also in the "Logon Type" section. Regarding your question, for the conversion to XML, no, I just modified the configuration by adding 'renderXml=1'