All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

That app is an externally-developed app so the support is on the author. Unfortunately the app hasn't been updated since 2021 and it doesn't list Cloud compatibility on Splunkbase so I think it'd be ... See more...
That app is an externally-developed app so the support is on the author. Unfortunately the app hasn't been updated since 2021 and it doesn't list Cloud compatibility on Splunkbase so I think it'd be safe to assume the inputs should be configured on an on-prem HF.
There is no single good answer for this question. Firstly, you don't "query through firewalls". Splunk analyzes data it already has. So if you have the logs containing information about network sess... See more...
There is no single good answer for this question. Firstly, you don't "query through firewalls". Splunk analyzes data it already has. So if you have the logs containing information about network sessions from your firewalls, you can search that data. Secondly, searches are very powerful but are in some aspects limited. Most importantly, SPL is not your normal imperative programming language so "dynamically" tracking such sessions across not-predefined set of hops would be impossible to implement. You could however do a search matching sessions from one fw to another (or even to third and fourth). It might though - especially with bigger data sets - not be a very good solution performancewise. It could be possible thought to make a dynamic dashboard (it would require some client-side JS programming though to do it "nicely") to trace such sessions dynamically. It all depends on particular use case if the detailed goal is achievable and if it makes sense from the performance point of view.
We have no way of knowing what you're talking about. 1. What system are you talking about? Windows I presume. 2. Did you install the Splunk software on the machine? 3. Which one? Splunk Enterprise... See more...
We have no way of knowing what you're talking about. 1. What system are you talking about? Windows I presume. 2. Did you install the Splunk software on the machine? 3. Which one? Splunk Enterprise or Universal Forwarder? 4. Did you alter the installation process in any way? 5. Did the installation complete successfully? 6. What exactly are your trying to do now?
Hello, I am on Windows and am newer to Splunk and I have been doing so learning, so I was getting ready to follow along some modules. But when I went to try and open the \bin, I come to find out tha... See more...
Hello, I am on Windows and am newer to Splunk and I have been doing so learning, so I was getting ready to follow along some modules. But when I went to try and open the \bin, I come to find out that I don't even have the Splunk folder in my Windows folder! The only folder I can find with the name Splunk is a .splunk folder under my laptop user. Did I do something wrong in the installation process, and is there a way to resolve this?
I was wondering if there was a query to track flows through multiple firewalls For example I want to track the flow source IP ---> FIrewall A ---> Firewall B ----> Firewall N---> Destination ip ... See more...
I was wondering if there was a query to track flows through multiple firewalls For example I want to track the flow source IP ---> FIrewall A ---> Firewall B ----> Firewall N---> Destination ip I understand that accuracy is not going to be there when dealing with NATs/PAts and of course delays along the path.   However, if there are no delays and no nats I am wondering if this would be possible and what that would look like
Hi, We installed splunk_TA_onelogin app on Splunk cloud, however the set up page keeps on failing with message "The "OneLogin - Setup Page" app has not been fully configured yet.".   We verified the... See more...
Hi, We installed splunk_TA_onelogin app on Splunk cloud, however the set up page keeps on failing with message "The "OneLogin - Setup Page" app has not been fully configured yet.".   We verified the onelogin credentials working correctly. Question: Does the app works in Splunk cloud? Should we install it on heavy forwarder as there are input.conf and props.conf files inside the TA package. Thanks, FL
I figured it out. I was just missing the host and guest port numbers in the oracle VM, NAT Network "port forwarding" setting
1. It's not clearly written but you don't install Splunk server and a UF on the same machine. But more importantly 2. For windows events you use the wineventlog type inputs. You don't monitor the e... See more...
1. It's not clearly written but you don't install Splunk server and a UF on the same machine. But more importantly 2. For windows events you use the wineventlog type inputs. You don't monitor the evtx file.
Hello Splunk community in a nutshell my problem is i have set up splunk and a forwarder on a server, added input and output rules respectively. however I am receiving no data from the forwarders to ... See more...
Hello Splunk community in a nutshell my problem is i have set up splunk and a forwarder on a server, added input and output rules respectively. however I am receiving no data from the forwarders to my splunk dashboard. I am very new to the info sec world and I am following a tutorial on bluecapesecurity.com for setting up a medium home lab. I have a windows 19 server and enterprise client installed. I would love any input on possible solutions. I am sure its going to be something simple or a single setting I missed. the input.conf file is  # All Windows Event logs [monitor://C:\Windows\System32\Winevt\Logs\*.evtx] disabled = false index=winevtx the input.conf file is saved in the: C:\Program Files\SplunkUniversalForwarder\etc\apps\SplunkUniversalForwarder\local I have set up inbound and outbound rules for letting anything from the splunk program through as well as opened the port 9997
Thank you! I'd forgotten / didn't realise I could chain terms together in searches. Your last example triggered the lightbulb. Your help is much appreciated!"
Yes. Dev and trial licenses are for single instance installations only. If you try to set up multiple servers in your setup with the same license you'll get errors and/or warnings about not-working f... See more...
Yes. Dev and trial licenses are for single instance installations only. If you try to set up multiple servers in your setup with the same license you'll get errors and/or warnings about not-working functionalities or duplicate license keys, depending on your architecture.
Your data presentation suggests that they were obtained with stats values() which means that you'd have two separate multivalued fields. There is no relation between values in those fields. so you ca... See more...
Your data presentation suggests that they were obtained with stats values() which means that you'd have two separate multivalued fields. There is no relation between values in those fields. so you can't (easily) remove corresponding values from both fields. You should filter your values before summarizing them.
Hi @CuriousSplunky , supponing that you created the table using a stats command, you have only to add a search command after the stats: <your_search> | stats values(grade) AS Grade BY User Subject ... See more...
Hi @CuriousSplunky , supponing that you created the table using a stats command, you have only to add a search command after the stats: <your_search> | stats values(grade) AS Grade BY User Subject | search Subject IN (Physics, Social) Ciao. Giuseppe
Hi @CuriousSplunky .. your current search query and the sample data would be better to have.. thanks. 
Created a local directory within the SplunkDeploymentServerConfig app.  Added the outputs.conf /opt/splunk/etc/apps/SplunkDeploymentServerConfig/local/outputs.conf [indexAndForward] index = tr... See more...
Created a local directory within the SplunkDeploymentServerConfig app.  Added the outputs.conf /opt/splunk/etc/apps/SplunkDeploymentServerConfig/local/outputs.conf [indexAndForward] index = true selectiveIndexing = true Clients started reporting to the DS after restarting Splunk.  Thankful I found this thread.
What do your raw events look like?
Just to follow up with what my problem was, I had a license set for an individual instance. I thought distributed meant multiple instances of each type of Splunk Server, ie, multiple indexers, SH, fo... See more...
Just to follow up with what my problem was, I had a license set for an individual instance. I thought distributed meant multiple instances of each type of Splunk Server, ie, multiple indexers, SH, forwarders, etc. I didnt realize one SH, one Indexer, and one Forwarder counted as a distributed. Either way, putting the 10 GB/day distributed license did the trick.   Now dev works  
headers, but I'm still unsure of how to parse each individual value ("meteoTemp", or "meteolunarPercent" for example) into separate objects so they can represented by separate and I am confused.... See more...
headers, but I'm still unsure of how to parse each individual value ("meteoTemp", or "meteolunarPercent" for example) into separate objects so they can represented by separate and I am confused.  Have you viewed my sample output?  meteoTemp and meteolunarPercent are extracted by spath, and tabulated in my example.  You can plot them however you want.  For example, source="mqtt://MeteoMQTT" | rex "msg=(?<msg>.+)" | spath input=msg | timechart avg(meteoTemp) as avgMeteoTemp max(meteolunaPercent) as maxMeteolunaPercent If you do not get those fields, you need to play with my emulation and carefully compare with your raw data and post data that is representative of the actual data structure.
I want to add onto this that I am also having this problem. Except the command exceeds the 360 timeout by a minute or more.
Hello, My Splunk query returns the marks of students in the below format.   User                Subject                 Grade John                Physics                 D                       ... See more...
Hello, My Splunk query returns the marks of students in the below format.   User                Subject                 Grade John                Physics                 D                           Science                A                           Math                      B                           Social                    C                           History                 D Mark                Physics               A                           Social                   B                           History                 C Sam                 Math                     C                           Social                   D                           History                A   How can I filter the query to show only marks for Physics and Social? Somewhat like the below. User                Subject              Grade John                Physics               D                           Social                   C Mark                Physics               A                           Social                   B Sam                 Social                  D   Thank you!