All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

1. Please don't call out people by name. If they have spare time they'll probably help you. If they don't they won't. And calling them out explicitly can make them less likely to want to help you act... See more...
1. Please don't call out people by name. If they have spare time they'll probably help you. If they don't they won't. And calling them out explicitly can make them less likely to want to help you actually. 2. It's a bit confusing - what does your single event look like? Please post a full event sample (preferably in a code block). 3. If I understand correctly, you have an array within your json structure and the fields of separate structures within your array get "squished" so you can't correlate between values in those fields, right? Typically for that you need to extract the array field as a whole to a multivalued field, then split the event on that field to multiple ones and then parse the json further. Like | spath path="propositions" | mvexpand propositions | spath input=propositions It's gonna be more complicated if you have several arrays in a single event and you have to "split" them all this way and correlate. That's more of a case of badly formatted data.
Could I please get assistance on how to resolve this issue and get the AlgoSec App for Security Incident Analysis and Response (2.x) Splunk application working. No changes have been made to any app... See more...
Could I please get assistance on how to resolve this issue and get the AlgoSec App for Security Incident Analysis and Response (2.x) Splunk application working. No changes have been made to any application files The steps in the algosec installation documentation has been followed: Integrate ASMS with Splunk (algosec.com) The Splunk Version being used: Splunk Enterprise 9.2 (Trial License) When installing the application, this error is returned: 500 Internal Server Error  Error Details: index=_internal host="*********" source=*web_service.log log_level=ERROR requestid=6694b1a1307f3b003f6d50 2024-07-15 15:20:33,402 ERROR [6694b1a1307f3b003f6d50] error:338 - Traceback (most recent call last): File "/opt/splunk/lib/python3.7/site-packages/cherrypy/_cprequest.py", line 628, in respond self._do_respond(path_info) File "/opt/splunk/lib/python3.7/site-packages/cherrypy/_cprequest.py", line 687, in _do_respond response.body = self.handler() File "/opt/splunk/lib/python3.7/site-packages/cherrypy/lib/encoding.py", line 219, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/htmlinjectiontoolfactory.py", line 75, in wrapper resp = handler(*args, **kwargs) File "/opt/splunk/lib/python3.7/site-packages/cherrypy/_cpdispatch.py", line 54, in __call__ return self.callable(*self.args, **self.kwargs) File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/routes.py", line 422, in default return route.target(self, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-500>", line 2, in listEntities File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 41, in rundecs return fn(*a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-498>", line 2, in listEntities File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 119, in check return fn(self, *a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-497>", line 2, in listEntities File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 167, in validate_ip return fn(self, *a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-496>", line 2, in listEntities File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 246, in preform_sso_check return fn(self, *a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-495>", line 2, in listEntities File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 285, in check_login return fn(self, *a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-494>", line 2, in listEntities File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 305, in handle_exceptions return fn(self, *a, **kw) File "</opt/splunk/lib/python3.7/site-packages/decorator.py:decorator-gen-489>", line 2, in listEntities File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/lib/decorators.py", line 360, in apply_cache_headers response = fn(self, *a, **kw) File "/opt/splunk/lib/python3.7/site-packages/splunk/appserver/mrsparkle/controllers/admin.py", line 1798, in listEntities app_name = eai_acl.get('app') AttributeError: 'NoneType' object has no attribute 'get'   Thanks Splunk Community
Thought as much, it's just worth noting that things can be perceived differently than what we wanted to say Now, check the technical part of my response Most probably, you need to increase th... See more...
Thought as much, it's just worth noting that things can be perceived differently than what we wanted to say Now, check the technical part of my response Most probably, you need to increase the lookahead because you have no timestamp in first 24 chars of your event. The architectural issue might also mean that when you fix that you'll be doing the right thing but in wrong place.
@PickleRick Please don't take my words otherwise. I didn't mean to say that. Btw way thanks for correcting me. I will take care with my words from the next time.
I tried to update  $result.field$  in the Description of Custom fields as in the screenshot, but it is not updating in servicenow
@inventsekar I have added these  three corrected settings in props.conf. I am waiting for the real event to come in, if this works then the job will be done. LINE_BREAKER = <\/eqtext:EquipmentEven... See more...
@inventsekar I have added these  three corrected settings in props.conf. I am waiting for the real event to come in, if this works then the job will be done. LINE_BREAKER = <\/eqtext:EquipmentEvent>() TIME_PREFIX = ((?<!ReceiverFmInstanceName>))<eqtext:EventTime> TZ = America/Glace_Bay
Hi, I am new to splunk development .Please provide your assistance for creating a search  . Thanks advance. Trying to create a report where I need to fetch the requestId, propositions id based on o... See more...
Hi, I am new to splunk development .Please provide your assistance for creating a search  . Thanks advance. Trying to create a report where I need to fetch the requestId, propositions id based on odds and accountno. Attached a sample event where multiple requests are in a single event which comes as a combined event to splunk . I have used a query like below, but it displays all the propositions to all requests,odds combination. I want to display the propositionid  only related to a particular request id and odds. attaching a sample for reference   index=abc source="data.log" "Response.errors{}.message"="cobination" | spath "Response.errors{}.code" | search "Response.errors{}.code"=COMBINATION | spath "Response.b{}.legs{}.propositions{}.propositionId"| spath "Response.b{}.legs{}.odds"|rename "Response.b{}.legs{}.odds" as Odds | spath "accountDetails.accountNumber"|dedup "accountDetails.accountNumber" |rename "accountDetails.accountNumber" as AccountNumber | spath "Response.b{}.requestId" | stats values("Response.error{}.code") as ErrorCode ,values("Response.b{}.legs{}.propositions{}.propositionId") as PropositionId by AccountNumber,Odds,RequestId,_time  
1. For "ASAP" you pay your friendly consultant or PS. This is a community-driven forum - people help others in their own spare time. Saying "help me ASAP" can be perceived as rude. 2. How do you ing... See more...
1. For "ASAP" you pay your friendly consultant or PS. This is a community-driven forum - people help others in their own spare time. Saying "help me ASAP" can be perceived as rude. 2. How do you ingest your data? UF->indexer? HF->indexer? UF->HF->indexer? What input do the events come in by. Where do you have the props.conf for the sourcetype? 3. You have the timestamp relatively late in the event and - as you've shown - your MAX_TIMESTAMP_LOOKAHEAD is set to only 24. 4. When posting config excerpts or data samples please use code block or preformatted style. It greatly helps readability.
Hi @yuvaraj_m91 You can reference the required fields in your Splunk alert config using $name$ for the alert name and $result.field$ for other fields
if 3 results got good timestamp meaning, props.conf is working fine.  lets troubleshoot the 4th one..  pls copy paste your search query..  (remove the hostnames, confidential info etc.. )
@inventsekar  If you see the below attached screenshot. The first three events is matching but the last one event is always creating an issue.  FYI : I am using default timezone setting.  
1) Pls give us the search query you are using..  what you see on the results is your splunk user profile's timezone setting.  2) on your Splunk user profile, pls make sure you have the right timezo... See more...
1) Pls give us the search query you are using..  what you see on the results is your splunk user profile's timezone setting.  2) on your Splunk user profile, pls make sure you have the right timezone settings (click on your username---- > Account settings---- > Time Zone)
@inventsekar  I have updated this "TIME_FORMAT = %FT%H:%M:%S.%3Q%Z" other is in # I have already restarted the Splunkd services.
Hi @uagraw01 .. for the timeformat.. did you apply both mine and @yuanliu 's timeformat's?.. (after updating the props.conf, you must restart the splunk services.. then only the changes will be inse... See more...
Hi @uagraw01 .. for the timeformat.. did you apply both mine and @yuanliu 's timeformat's?.. (after updating the props.conf, you must restart the splunk services.. then only the changes will be inserted to Splunk)  
My Objective is to create an Alert in ServiceNow whenever an failure alert triggered in SPlunk. I have installed Splunk Add on for ServiceNow and configured the connection setup.  I was able to suc... See more...
My Objective is to create an Alert in ServiceNow whenever an failure alert triggered in SPlunk. I have installed Splunk Add on for ServiceNow and configured the connection setup.  I was able to successfully post the incident is ServiceNow with the default fields available in ServiceNow Incident Alert. However i need to update the Description field in ServiceNow with the details of Alert Name and Alert Result to identify why that alert triggered.
Hi Dev Team, It has been a while since the last update version for this App was released (mid 2023) and now lost Splunk Cloud certification for compatibility. Can we please have this App revised to... See more...
Hi Dev Team, It has been a while since the last update version for this App was released (mid 2023) and now lost Splunk Cloud certification for compatibility. Can we please have this App revised to match Splunk Cloud requirements for compatibility? Thank you. Regards.  
@inventsekar  [Scada_walmart_alarm] DATETIME_CONFIG = KV_MODE = xml NO_BINARY_CHECK = true CHARSET = UTF-8 LINE_BREAKER = <\/eqtext\:EquipmentEvent NO_BINARY_CHECK = true SHOULD_LINEMERGE = f... See more...
@inventsekar  [Scada_walmart_alarm] DATETIME_CONFIG = KV_MODE = xml NO_BINARY_CHECK = true CHARSET = UTF-8 LINE_BREAKER = <\/eqtext\:EquipmentEvent NO_BINARY_CHECK = true SHOULD_LINEMERGE = false MAX_TIMESTAMP_LOOKAHEAD = 24 TIME_FORMAT = %FT%H:%M:%S.%3Q%Z #TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%Z TIME_PREFIX = \<eqtext\:EventTime\> SEDCMD-first = s/^.*<eqtext:EquipmentEvent/<eqtext:EquipmentEvent/g
Hi @uagraw01 pls show us your props.conf    (if you dont know where to find the props.... are you using HF or not... if u use HF, then props.conf should be there if you dont use HF, then, you sho... See more...
Hi @uagraw01 pls show us your props.conf    (if you dont know where to find the props.... are you using HF or not... if u use HF, then props.conf should be there if you dont use HF, then, you should have props.conf for this should be in indexer)
@yuanliu @inventsekar  When I ingested to Splunk both the times varies ( index and event time). Please see below screenshot.  
Hi @uagraw01  |makeresults | eval logs="2024-07-13T16:21:31.287Z" | eval time=strptime(logs,"%Y-%m-%dT%H:%M:%S.%Q") | eval date = strftime(time,"%Y-%m-%d %H:%M:%S") | table logs time date ... pls ... See more...
Hi @uagraw01  |makeresults | eval logs="2024-07-13T16:21:31.287Z" | eval time=strptime(logs,"%Y-%m-%dT%H:%M:%S.%Q") | eval date = strftime(time,"%Y-%m-%d %H:%M:%S") | table logs time date ... pls check "%Y-%m-%dT%H:%M:%S.%Q"