All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

The specs listed are the *minimums* specified by Splunk.  What the *actual* specs of the DS?  Which version of Splunk is the DS running?  How many apps are in the deployment-apps directory? Splunk d... See more...
The specs listed are the *minimums* specified by Splunk.  What the *actual* specs of the DS?  Which version of Splunk is the DS running?  How many apps are in the deployment-apps directory? Splunk does not use /root to store anything and Best Practice is to put $SPLUNK_HOME and $SPLUNK_DB in separate mount points not shared with the OS. Have you run du to see what files/directories are using the most storage?
The datamodel is looking for specific values in the instanceId field, however, the screenshot does not show an instanceId field exists in the data.  Therefore, the DM will return no results and the d... See more...
The datamodel is looking for specific values in the instanceId field, however, the screenshot does not show an instanceId field exists in the data.  Therefore, the DM will return no results and the dashboard will show nothing.
I guess the question can be broad, but I am coming from the following scenario: I am using the Splunk app, which has been configured and connection tested successfully in SOAR.  Recently, something ... See more...
I guess the question can be broad, but I am coming from the following scenario: I am using the Splunk app, which has been configured and connection tested successfully in SOAR.  Recently, something happened that I did not expect - the credentials to Splunk were rejected and the action to "run query" returned with an expected message of: "Unauthorized Access (401)". But then the action terminated there and did not continue with the rest of the playbook.  I have another app action for Ansible Tower to run a (Ansible) playbook (action name is "run job"), and if the Ansible playbook fails, the action in Splunk SOAR is marked as FAILED, but the SOAR playbook continues otherwise. I can't tell what the difference is between these two actions that allows one to continue, but the other to halt the SOAR playbook progression. Any advice is appreciated.  
They are coming into the HF through syslog UDP port.
Thank you so much! This worked beautifully. I have been trying to wrap my head around this for such a long time, it's so nice to see an outcome.  Really appreciate your help 
I can't add any Background images to a dashboard created in dashboard studio and i presume it is because my role is missing the correct capability. I am trying to find information relating to what c... See more...
I can't add any Background images to a dashboard created in dashboard studio and i presume it is because my role is missing the correct capability. I am trying to find information relating to what cap. i need but i could not find anything. Chat.G.P.T. answered that there is a cap. "edit_visualizations" but i could not find info about that. Can someone help me with identifying the correct capability linked to adding a background image to a Dashboard Studio dashboard? Thanks in advance, Paul
Well, all of our servers are running 9.2.2 and all of our Universal Forwarders are running 9.2.1 or 9.2.2 and we are still seeing this log message. EDIT 2024-07-23:  Never mind.  Closer inspection o... See more...
Well, all of our servers are running 9.2.2 and all of our Universal Forwarders are running 9.2.1 or 9.2.2 and we are still seeing this log message. EDIT 2024-07-23:  Never mind.  Closer inspection of the logs shows that they are working correctly in 9.2.1 and 9.2.2.  The messages with the crazy high numbers are from older systems.  The newer ones still report a number, but none larger than 1,000,000 (most around 512 kB).
just want to update its out of preview and the app link from rgalloway still works.
LINE_BREAKER must contain a capture group. Everything before capture group is considered "previous event", capture group is treated as event breaker _and is removed from your data_ and everything aft... See more...
LINE_BREAKER must contain a capture group. Everything before capture group is considered "previous event", capture group is treated as event breaker _and is removed from your data_ and everything after the capture group is part of the "next event". Also - you still didn't say what constitutes a new event in your example.
| eval row=mvrange(0,2) | mvexpand row | eval sent=if(row=0,AMOUNT,null()) | where isnull(sent) OR sent>=250 | eval received=if(row=1,AMOUNT,null()) | eval account=if(row=0,ACCOUNT_FROM,ACCOUNT_TO) ... See more...
| eval row=mvrange(0,2) | mvexpand row | eval sent=if(row=0,AMOUNT,null()) | where isnull(sent) OR sent>=250 | eval received=if(row=1,AMOUNT,null()) | eval account=if(row=0,ACCOUNT_FROM,ACCOUNT_TO) | eventstats sum(sent) as total_sent sum(received) as total_received count(received) as count by account | fillnull value=0 total_sent total_received | where total_sent > total_received AND count > 10
Hi Team,   04/06/2024;10:08:36;Control;Machine ON 04/06/2024;10:05:39;Others;Start sample (D) ST 2 795 x1000 04/06/2024;10:05:36;Others;Sampling end ST 1 04/06/2024;10:00:25;Others;Start sample ... See more...
Hi Team,   04/06/2024;10:08:36;Control;Machine ON 04/06/2024;10:05:39;Others;Start sample (D) ST 2 795 x1000 04/06/2024;10:05:36;Others;Sampling end ST 1 04/06/2024;10:00:25;Others;Start sample (D) ST 1 781 x1000 04/06/2024;09:55:33;Operator;Operator level: 0 -> 6 UP23477 After that break the event, I written regex like   ^\d{2}\/\d{2}\/\d{4};\d{2}:\d{2}:\d{2};Operator;Operator\slevel:\s0\s->\s+6\s+\w+ but not break the event , please help me the regex query
Awesome.. Thanks @ITWhisperer  worked like a charm
What if I want to add the requirement that the amount received have to be above 250 and the number of reviced transaction have to be above 10.  The original query is index=myindex AMOUNT>=250 |event... See more...
What if I want to add the requirement that the amount received have to be above 250 and the number of reviced transaction have to be above 10.  The original query is index=myindex AMOUNT>=250 |eventstats sum(AMOUNT) as total_sent count as receive by ACCOUNT_FROM |eval temp=ACCOUNT_FROM |where receive >10 |table _time ACCOUNT_TO ACCOUNT_FROM TRACE total_sent INFO temp |join type=inner temp [search index=myindex |stats sum(AMOUNT) as total_received by ACCOUNT_TO |eval temp=ACCOUNT_TO] |where total_sent > total_receive
Here is the answer - use a POST to admin/SAML-groups and add the names of the external groups and the internal roles. The English in the documentation is "sub-par" and I will be asking for it to be ... See more...
Here is the answer - use a POST to admin/SAML-groups and add the names of the external groups and the internal roles. The English in the documentation is "sub-par" and I will be asking for it to be updated. The description of the API POST call for "admin/SAML-groups" says "Convert an external group to internal roles." What it should say is, "Creates a mapping between between the external SAML group and the internal roles." This action does as my description says.
Hi @nhana_mulyana, are you sure that you are a registered Splunk Partner? you should see something like this:   Ask to your Splunk Channel manager. Ciao. Giuseppe
I am wondering why Deployment Server is full and the only stored in this server is Deployment Server Ta’s and .Conf to distribute the TA’s and Conf to Universal Forwarders. this is the Specs. Deplo... See more...
I am wondering why Deployment Server is full and the only stored in this server is Deployment Server Ta’s and .Conf to distribute the TA’s and Conf to Universal Forwarders. this is the Specs. Deployment Server - 16 CPU Core (or 32 vCPU – if VM then must be dedicated), 2 GHz+ per core or greater - 16GB RAM - 1 x 200GB storage space (for OS and Splunk) - 64-bits OS Linux/Windows - 10GB Ethernet NIC, with optional 2nd NIC for management network   but the disk Space is full in /root   Please help Thank you
When I clik Manage Button in Partner Company manage, I don't see "Download letter of Authorization" button
You need to get the values into the same event so you can do the calculation - try something like this sourcetype=log4j | rex "91032\|PRD\|SYSTEM\|test\-01\.Autodeploy\-profiles\-msgdeliver\|10\.12\... See more...
You need to get the values into the same event so you can do the calculation - try something like this sourcetype=log4j | rex "91032\|PRD\|SYSTEM\|test\-01\.Autodeploy\-profiles\-msgdeliver\|10\.12\.163\.65\|\-\|\-\|\-\|\-\|com\.filler\.filler\.filler\.message\.visitor\.MessageLoggerVisitor\|\-\|PRD01032 \- Processor (.*?) processed message with system time (?<systime_batch>.+) batch id (.*?) correlation-id \((?<corrid>.+)\) and body" | rex "com\.filler\.filler.filler\.message\.processor\.RestPublisherProcessor\|\-\|PRD01051 \- Message with correlation\-id \((?<corrid>.+)\) successfully published at system time (?<systime_mcd>.+) to MCD" | stats first(systime_batch) as systime_batch values(systime_mcd) as systime_mcd by corrid | eval diff = (systime_mcd-systime_batch)
HI @BRFZ , see the Alert Manager Enterprise app (https://splunkbase.splunk.com/app/6730). ciao. Giuseppe
Hello, Would it be possible to create a dashboard where we can receive alerts directly ?