All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

We still don't know *how* you are trying to extract fields.  The erex command and the extraction wizard struggle with complex events so consider using one of the commands suggested by @yuanliu . If ... See more...
We still don't know *how* you are trying to extract fields.  The erex command and the extraction wizard struggle with complex events so consider using one of the commands suggested by @yuanliu . If you only need a few fields, you may have some luck using the rex command to extract them.
I have a Splunk 8.2.9 and I wanted to upgrade to version 9. Can i use the same license after upgrade?
No, limits.conf has noting to do with the fact that the "graphical" extractor  can guess your settings in only relatively basic cases (and can do it well in even rarer ones). If your events are prope... See more...
No, limits.conf has noting to do with the fact that the "graphical" extractor  can guess your settings in only relatively basic cases (and can do it well in even rarer ones). If your events are properly formated xml entities, you should rather use KV_MODE=xml in your sourcetype settings.
Try connecting directly to one of your search heads (through ssh tunnel if needed) and see if IR is showing now and investigate your haproxy.conf
Hello, if you have these errors while loading Incident review and you are behing haproxy server, probably there is a misconfiguration. Possible web errors:   Error loading some filters Updating.... See more...
Hello, if you have these errors while loading Incident review and you are behing haproxy server, probably there is a misconfiguration. Possible web errors:   Error loading some filters Updating... Waiting for data...  
Hello @., Did the reply from Sunil help? If so, please click the 'Accept as Solution' button. If not, rely on this thread to keep the conversation going. 
Subject moved to https://community.splunk.com/t5/All-Apps-and-Add-ons/Solution-Splunk-Enterprise-Security-ES-incident-review-not/m-p/694084/thread-id/80869#M80870
Subject moved to https://community.splunk.com/t5/All-Apps-and-Add-ons/Solution-Splunk-Enterprise-Security-ES-incident-review-not/m-p/694084/thread-id/80869#M80870
Hi @Jananie.Rajeshwari, Thanks for asking your question on the Community. I was able to find some existing information to give you a lead, but you may want to contact Support for this one. TSV_T... See more...
Hi @Jananie.Rajeshwari, Thanks for asking your question on the Community. I was able to find some existing information to give you a lead, but you may want to contact Support for this one. TSV_TNEW_PAGE_ALLOC_FAILED which means no more virtual memory can be allocated. Paging area is virtual memory and is used to store data for ABAP processing on disk space. It is stored as IL<inst>.DAT files. For better analysis, you can check transaction ST02 SAP Memory section (check attached 'image.png'). Check your MaxUse(peak usage) column for page area and extended memory. If MaxUse is nearing the sum of In Mem + OnDisk, you might want to increase your maximum allowed page area parameter to prevent running out of memory in future. Additional info can be found in note: https://launchpad.support.sap.com/#/notes/133909 Also this issue can also be raised if file system on OS level is full therefore we recommend checking if you have enough physical memory free to accommodate all memory allocations. List of them can be found in note https://launchpad.support.sap.com/#/notes/88416
Hello, I am using Splunk Enterprise with IT Essentials Work, Windows Addon and Content Pack for Windows Dashboards and Reports. I made all the necessary configurations for Content Pack for Windows Da... See more...
Hello, I am using Splunk Enterprise with IT Essentials Work, Windows Addon and Content Pack for Windows Dashboards and Reports. I made all the necessary configurations for Content Pack for Windows Dashboards and Reports but still I can not see any data in dashboards or the reports.  In eventtypes.conf file in DA-ITSI-CP-windows-dashboards/local folder i made the following changes  [windows_index_windows] definition= index=windows OR index=main [perfmon_index_windows] definition= index=perfmon OR index=itsi_im_metrics [wineventlog_index_windows] definition= index=wineventlog OR index=main   The think the problem starts from the fact that eventtypes are not recognized in searches. For example the search  (eventtype=msad-successful-user-logons OR eventtype=msad-failed-user-logons) returns nothing. In eventttypes.conf the above stanza is: [msad-successful-user-logons] search = eventtype=wineventlog_index_windows eventtype=wineventlog_security EventCode=4624 user!="*$"   If i run the search: index=main EventCode=4624 user!="*$" i get results.   Can someone help me to solve the problem?   Thanks [msad_index_windows] search= index=msad OR index=main
Thanks for replying, and sorry for the lengthy delay.  Metrics dashboards never seem to be the priority! Changing the token names did not work, panel 2 doesn't load.  I continue to get the red ! in ... See more...
Thanks for replying, and sorry for the lengthy delay.  Metrics dashboards never seem to be the priority! Changing the token names did not work, panel 2 doesn't load.  I continue to get the red ! in the top right, asking for "Set token value to render visualization" specifically for $latest_time$ (or whatever name variation I try).  
This is structured data in XML.  Splunk's extraction tool is either regex or delimiter based and will not be robust.  I recommend that you forget about extraction, just run spath or xmlkv at search t... See more...
This is structured data in XML.  Splunk's extraction tool is either regex or delimiter based and will not be robust.  I recommend that you forget about extraction, just run spath or xmlkv at search time.
I was able to get it running. The culprit was RAM. I increased it significantly and it is starting up now.
In last couple of days, I have seen few license alerts: This pool has exceeded its configuration poolsize=5GB bytes. A CLE warning has been recorded for all members.  Then I tried to look at the Li... See more...
In last couple of days, I have seen few license alerts: This pool has exceeded its configuration poolsize=5GB bytes. A CLE warning has been recorded for all members.  Then I tried to look at the License Usage report by host and I see couple of issues: 1. My indexer itself it using up most of the license.  2. My indexer is listed twice, one in all capitol (SPLUNK-SERVER1) and 2nd one, regular FQDN (splunk-server1.mydomain). For the 1st issue, checked more and saw /var/log/audit/audit.log is the culprit. What can I do to limit it? For the 2nd issue, I guess, I have spelled out server name differently.  Where can I check other than /opt/splunk/etc/system/local/server.conf? Thanks for your help. 
Something like | where match(X, "\b(SI|SB)\b") | stats sum(SNO) as SNO_total Here is a full emulation | makeresults format=csv data="SNO, X 1,400 2, SI-SCRIPT-ERROR 3, (SI-BPR-01) 4, SB-Timeout 5,... See more...
Something like | where match(X, "\b(SI|SB)\b") | stats sum(SNO) as SNO_total Here is a full emulation | makeresults format=csv data="SNO, X 1,400 2, SI-SCRIPT-ERROR 3, (SI-BPR-01) 4, SB-Timeout 5, SB-OrderFound 6, (SB-BPR-02)--(SB-EXL-001) 7, 201 8, SI-RAS-200 9," ``` data emulation above ``` | where match(X, "\b(SI|SB)\b") | stats sum(SNO) as SNO_total Result is SNO_total 28
I am looking for a solution to extract rows containing certain keywords from column "X".  and the remaining data will add to "Total". For example any keyword with SI or SB will be added to count fiel... See more...
I am looking for a solution to extract rows containing certain keywords from column "X".  and the remaining data will add to "Total". For example any keyword with SI or SB will be added to count field "Log" and the other entries excluding empty cell will be added to count field "Total". SNO X 1 400 2 SI-SCRIPT-ERROR 3 (SI-BPR-01) 4 SB-Timeout 5 SB-OrderFound 6 (SB-BPR-02)--(SB-EXL-001) 7 201 8 SI-RAS-200 9 <empty>  
Hello @richgalloway  Here is an example (not complete), but for instance, when I try to extract the event ID, the user 'bob', and the time, I cannot do it for everything. Moreover, it doesn't extr... See more...
Hello @richgalloway  Here is an example (not complete), but for instance, when I try to extract the event ID, the user 'bob', and the time, I cannot do it for everything. Moreover, it doesn't extract from all events, so I try to do it manually, and it shows me another error. { <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Service Control Manager' Guid='{555908d1-a6d7-4695-8e1e-26931d2012f4}' EventSourceName='Service Control Manager'/><EventID Qualifiers='16384'>7036</EventID><Version>0</Version><Level>4</Level><Task>0</Task><Opcode>0</Opcode><Keywords>0x8080000000000000</Keywords><TimeCreated SystemTime='2014-04-24T18:38:37.868683300Z'/><EventRecordID>412598</EventRecordID><Correlation/><Execution ProcessID='192' ThreadID='210980'/><Channel>System</Channel> <Computer>TEST</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S18</Data><Data Name='SubjectUserName'>BOB</Data><Data Name='SubjectDomainName'>GOZ</Data><Data Name='SubjectLogonId'>x0</Data><Data Name='TargetUserSid'>s20</Data><Data Name='TargetUserName'>BOBT</Data><Data Name='TargetDomainName'>TESTTGT</Data><Data Name='TargetLogonId'>x0</Data><Data Name='LogonType'>x</Data><Data  }
Hello, I have to create a new correlation search looking for failed authentication to VPN. The rule should trigger if there are more than 5 login failures for a source IP and if there are 20 distin... See more...
Hello, I have to create a new correlation search looking for failed authentication to VPN. The rule should trigger if there are more than 5 login failures for a source IP and if there are 20 distinct source IPs with more than 80% login failures, at the moment I wrote the current query: | tstats `summary_fillnull` values(Authentication.index) as index, values(sourcetype) as sourcetype, values(host) as host, values(Authentication.signature_id) as signature_id, count from datamodel=Authentication where NOT [| `authentication_whitelist_generic`] nodename="Authentication.Failed_Authentication" by Authentication.src, Authentication.user, Authentication.dest, Authentication.Error_Code, Authentication.Sub_Status | `drop_dm_object_name("Authentication")` ``` Error_Code and Sub_Status exclusions ``` | `windows_errorcode_substatus_exclusion` Anyone has an idea on how to proceed?   Thanks in advance
Here is what I did for v9.1.5 Add CSS to /opt/splunk/share/splunk/search_mrsparkle/exposed/build/css/bootstrap-dark.css /opt/splunk/share/splunk/search_mrsparkle/exposed/build/css/bootstrap-light.... See more...
Here is what I did for v9.1.5 Add CSS to /opt/splunk/share/splunk/search_mrsparkle/exposed/build/css/bootstrap-dark.css /opt/splunk/share/splunk/search_mrsparkle/exposed/build/css/bootstrap-light.css ------------------ /* The switch - the box around the slider*/ .autoexpand { margin-top: 2px; } .autoexpandtext { margin-right: 5px; } .switch { position: relative; display: inline-block; width: 43px; height: 18px; margin-top:5px; margin-bottom:0px; } /* Hide default HTML checkbox */ .switch input { opacity: 0; width: 0; height: 0; } /* The slider */ .slider { position: absolute; cursor: pointer; top: 0; left: 0; right: 0; bottom: 0; background-color: #ccc; -webkit-transition: .4s; transition: .4s; } .slider:before { position: absolute; content: ""; height: 10px; width: 10px; left: 4px; bottom: 4px; background-color: white; -webkit-transition: .4s; transition: .4s; } input:checked + .slider { background-color: rgb(92, 192, 92); } input:focus + .slider { box-shadow: 0 0 1px #2196F3; } input:checked + .slider:before { -webkit-transform: translateX(26px); -ms-transform: translateX(26px); transform: translateX(26px); } /* Rounded sliders */ .slider.round { border-radius: 34px; } .slider.round:before { border-radius: 50%; } In /opt/splunk/share/splunk/search_mrsparkle/exposed/build/pages/dark/search.js /opt/splunk/share/splunk/search_mrsparkle/exposed/build/pages/light/search.js search for "pull-right jobstatus-control-grouping" and add this text in that div element ----------------- <div class="autoexpand"><span class="autoexpandtext">AutoexpandJSON</span><label class="switch"><input type="checkbox" checked><span class="slider round"></span></label></div> ------------------ In the same search.js files  /opt/splunk/share/splunk/search_mrsparkle/exposed/build/pages/dark/search.js /opt/splunk/share/splunk/search_mrsparkle/exposed/build/pages/light/search.js add this scripts to the bottom ------------------ let autoExpandPropertyName='jsonAutoExpand'; let autoExpandSetting = localStorage.getItem(autoExpandPropertyName); let observer2Added =false; $(document).ready(function() { if (autoExpandSetting === null) { localStorage.setItem(autoExpandPropertyName, '1'); autoExpandSetting = '1'; } if(autoExpandSetting === '1') { function autoExpand(){ // console.log("autoExpand started"); $(".jsexpands").each(function() { if($(this).html() == '[+]') { $(this)[0].click(); } })}; setTimeout(()=> { console.log("Delayed"); // select the target node var target = $(".shared-eventsviewer")[0]; console.log(target); // create an observer instance var observer6 = new MutationObserver(function(mutations) { mutations.forEach((mutation) => { if (!mutation.addedNodes) return autoExpand(); $(".events-controls-inner").click(); //does not refresh table if missing }) }); // configuration of the observer: var config = { attributes: false, childList: true, characterData: true, subtree:true}; // pass in the target node, as well as the observer options observer6.observe(target, config); }, "500"); } function toggleAutoexpand(mutation){ const slider = document.querySelector('.slider'); if (slider === undefined ||slider === null) return; if(observer2Added) return; observer2Added = true; if(autoExpandSetting === '0') { $(".switch")[0].childNodes[0].checked =false; } slider.addEventListener('click', () => { let storageValue = localStorage.getItem(autoExpandPropertyName); if ( storageValue === '1') localStorage.setItem(autoExpandPropertyName, '0'); else localStorage.setItem(autoExpandPropertyName, '1'); location.reload(); }); observer2.disconnect(); }; let observer2 = new MutationObserver((mutations) => { mutations.forEach((mutation) => { if (!mutation.addedNodes) return toggleAutoexpand(mutation); }) }) setTimeout(()=> { observer2.observe($(".shared-eventsviewer")[0], { childList: true , subtree: true , attributes: false , characterData: false }) }, "500"); }) ------------------ To refresh the splunk css and js caching use link: https://yourinstance:8000/en-GB/_bump On the next splunk update you have to repeat the process if everything remains the same. I couldn't find any other way.
I'm thinking what I want to do is perhaps not possible, tried another variation on the code that doesnt pull in the problem values (sourcetype="incident") OR (sourcetype="problem") | eval incid... See more...
I'm thinking what I want to do is perhaps not possible, tried another variation on the code that doesnt pull in the problem values (sourcetype="incident") OR (sourcetype="problem") | eval incident=if(sourcetype="incident",number,null), problem=if(sourcetype="incident",dv_problem_id,null), prb_field=if(sourcetype="problem",dv_number,dv_problem_id) | stats latest(eval(if(sourcetype="incident",dv_opened_at,null()))) as inc_opened, latest(problem) as problem, latest(eval(if(sourcetype="problem",dv_state,null()))) as prb_state by incident, prb_field