All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi Team, What I'm trying to achieve: Find the consecutive failure events followed by a success event.   | makeresults | eval _raw="username,result user1,fail user2,success user3,success user1,... See more...
Hi Team, What I'm trying to achieve: Find the consecutive failure events followed by a success event.   | makeresults | eval _raw="username,result user1,fail user2,success user3,success user1,fail user1,fail user1,success user2,fail user3,success user2,fail user1,fail" | multikv forceheader=1 | streamstats count(eval(result="fail")) as fail_counter by username,result reset_after="("result==\"success\"")" | table username,result,fail_counter   Outcome: The counter (fail_counter) gets reset for a user (say user1) if the next event is a success event for a different user (say, user2). username result fail_counter   user1 fail 1   user2 success 0   user3 success 0   user1 fail 1 <- counter reset for user1. It should be 2. user1 fail 2 It should be 3. user1 success 0   user2 fail 1   user3 success 0   user2 fail 1   user1 fail 1   Expected: The counter should not reset if the success event for user2 follows the failure event for user1. I would appreciate any help on this. Not sure what I'm missing here.
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <title>Indicators lookup</title> <link rel="shortcut icon" href="/en-US/... See more...
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <title>Indicators lookup</title> <link rel="shortcut icon" href="/en-US/static/@4EAB67D171EF0F268537B07472A600B957BA5791405CEF63525C4E27D3E44D74/img/favicon.ico" /> <link rel="stylesheet" type="text/css" href="{{SPLUNKWEB_URL_PREFIX}}/static/build/css/bootstrap-enterprise.css" /> <link rel="stylesheet" type="text/css" href="{{SPLUNKWEB_URL_PREFIX}}/static/build/css/splunkjs-dashboard.css" /> <meta name="referrer" content="never" /> <meta name="referrer" content="no-referrer" /> <script> (function () { window._splunk_metrics_events = []; window._splunk_metrics_events.active = true; function onLoadSwa() { new SWA({"deploymentID": "38255b58-9e6d-5dfa-8d85-b49d0a12bf26", "userID": "88dc5753653ca0684944db586ae6839c9919d788bf6408b4cca2a8e79949adac", "version": "4", "instanceGUID": "2255A6A4-6BBF-4F0C-8DE8-ABF5E956C44B", "visibility": "anonymous,support", "url": "https://e1345286.api.splkmobile.com/1.0/e1345286"}); }; document.addEventListener("DOMContentLoaded", function(event) { var s = document.createElement('script'); s.type = 'text/javascript'; s.async = true; s.src='/en-US/static/app/splunk_instrumentation/build/pages/swa.js'; s.addEventListener('load', onLoadSwa); var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(s, x); }); }()); </script> </head> <body class="simplexml preload locale-en" data-splunk-version="8.0.2.1" data-splunk-product="enterprise"> <!-- BEGIN LAYOUT This section contains the layout for the dashboard. Splunk uses proprietary styles in <div> tags, similar to Bootstrap's grid system. --> <header> <a aria-label="Screen reader users, click here to skip the navigation bar" class="navSkip" href="#navSkip" tabIndex="1">Skip Navigation &gt;</a> <div class="header splunk-header"> <div id="placeholder-splunk-bar"> <a href="{{SPLUNKWEB_URL_PREFIX}}/app/launcher/home" class="brand" title="splunk &gt; listen to your data">splunk<strong>&gt;</strong></a> </div> <div id="placeholder-app-bar"></div> </div> <a id="navSkip"></a> </header> <div class="dashboard-body container-fluid main-section-body" data-role="main"> <div class="dashboard-header clearfix"> <h2>Indicators lookup</h2> </div> <div class="fieldset"> <div> <legend><b>Kaspersky CyberTrace connection settings</b></legend> <div class="kl-panel-body"> <div class="input input-text" id="settings-ct-host"> <label>Kaspersky CyberTrace address</label> </div> <div class="input input-text" id="settings-ct-port"> <label>Kaspersky CyberTrace port</label> </div> </div> </div> <div></div> <div id="input1" class="html"> <div class="fieldset"> <legend><b>Kaspersky CyberTrace lookup indicator</b></legend> <div class="panel-body html"> <p>Enter indicator, that you want to lookup in the Kaspersky CyberTrace</p> </div> </div> <div class="input input-text" id="input2"> <label>Indicator</label> </div> <div class="form-submit" id="search_btn"> <button class="btn btn-primary submit">Lookup</button> </div> </div> </div> <div id="row1" class="dashboard-row dashboard-row1"> <div id="panel1" class="dashboard-cell" style="width: 100%;"> <div class="dashboard-panel clearfix"> <div class="panel-element-row"> <div id="element1" class="dashboard-element table" style="width: 100%"> <div class="panel-head"> <h3>Matching events</h3> </div> <div class="panel-body"></div> </div> </div> </div> </div> </div> </div> <!-- END LAYOUT --> <script src="{{SPLUNKWEB_URL_PREFIX}}/config?autoload=1" crossorigin="use-credentials"></script> <script src="{{SPLUNKWEB_URL_PREFIX}}/static/js/i18n.js"></script> <script src="{{SPLUNKWEB_URL_PREFIX}}/i18ncatalog?autoload=1"></script> <script src="{{SPLUNKWEB_URL_PREFIX}}/static/build/simplexml/index.js"></script> <script type="text/javascript"> // <![CDATA[ // <![CDATA[ // // LIBRARY REQUIREMENTS // // In the require function, we include the necessary libraries and modules for // the HTML dashboard. Then, we pass variable names for these libraries and // modules as function parameters, in order. // // When you add libraries or modules, remember to retain this mapping order // between the library or module and its function parameter. You can do this by // adding to the end of these lists, as shown in the commented examples below. require([ "splunkjs/mvc", "splunkjs/mvc/utils", "splunkjs/mvc/tokenutils", "underscore", "jquery", "splunkjs/mvc/simplexml", "splunkjs/mvc/layoutview", "splunkjs/mvc/simplexml/dashboardview", "splunkjs/mvc/simplexml/dashboard/panelref", "splunkjs/mvc/simplexml/element/chart", "splunkjs/mvc/simplexml/element/event", "splunkjs/mvc/simplexml/element/html", "splunkjs/mvc/simplexml/element/list", "splunkjs/mvc/simplexml/element/map", "splunkjs/mvc/simplexml/element/single", "splunkjs/mvc/simplexml/element/table", "splunkjs/mvc/simplexml/element/visualization", "splunkjs/mvc/simpleform/formutils", "splunkjs/mvc/simplexml/eventhandler", "splunkjs/mvc/simplexml/searcheventhandler", "splunkjs/mvc/simpleform/input/dropdown", "splunkjs/mvc/simpleform/input/radiogroup", "splunkjs/mvc/simpleform/input/linklist", "splunkjs/mvc/simpleform/input/multiselect", "splunkjs/mvc/simpleform/input/checkboxgroup", "splunkjs/mvc/simpleform/input/text", "splunkjs/mvc/simpleform/input/timerange", "splunkjs/mvc/simpleform/input/submit", "splunkjs/mvc/searchmanager", "splunkjs/mvc/savedsearchmanager", "splunkjs/mvc/postprocessmanager", "splunkjs/mvc/simplexml/urltokenmodel" // Add comma-separated libraries and modules manually here, for example: // ..."splunkjs/mvc/simplexml/urltokenmodel", // "splunkjs/mvc/tokenforwarder" ], function( mvc, utils, TokenUtils, _, $, DashboardController, LayoutView, Dashboard, PanelRef, ChartElement, EventElement, HtmlElement, ListElement, MapElement, SingleElement, TableElement, VisualizationElement, FormUtils, EventHandler, SearchEventHandler, DropdownInput, RadioGroupInput, LinkListInput, MultiSelectInput, CheckboxGroupInput, TextInput, TimeRangeInput, SubmitButton, SearchManager, SavedSearchManager, PostProcessManager, UrlTokenModel // Add comma-separated parameter names here, for example: // ...UrlTokenModel, // TokenForwarder ) { var pageLoading = true; // // TOKENS // // Create token namespaces var urlTokenModel = new UrlTokenModel(); mvc.Components.registerInstance('url', urlTokenModel); var defaultTokenModel = mvc.Components.getInstance('default', {create: true}); var submittedTokenModel = mvc.Components.getInstance('submitted', {create: true}); urlTokenModel.on('url:navigate', function() { defaultTokenModel.set(urlTokenModel.toJSON()); if (!_.isEmpty(urlTokenModel.toJSON()) && !_.all(urlTokenModel.toJSON(), _.isUndefined)) { submitTokens(); } else { submittedTokenModel.clear(); } }); // Initialize tokens defaultTokenModel.set(urlTokenModel.toJSON()); function submitTokens() { // Copy the contents of the defaultTokenModel to the submittedTokenModel and urlTokenModel FormUtils.submitForm({ replaceState: pageLoading }); } function setToken(name, value) { defaultTokenModel.set(name, value); submittedTokenModel.set(name, value); } function unsetToken(name) { defaultTokenModel.unset(name); submittedTokenModel.unset(name); } setToken("run",false); // // SEARCH MANAGERS // var search1 = new SearchManager({ "id": "search1", "earliest_time": "-30d@d", "latest_time": "now", "autostart": false, "sample_ratio": null, "search": "| klsearch $indicator$ | rename _raw as DetectedEvent | table LookupIndicator, DetectedEvent", "status_buckets": 0, "cancelOnUnload": true, "app": utils.getCurrentApp(), "auto_cancel": 90, "preview": true, "tokenDependencies": { }, "runWhenTimeIsUndefined": false }, {tokens: true, tokenNamespace: "submitted"}); // // SERVICE OBJECT // // Create a service object REST request using the Splunk SDK for JavaScript var service = mvc.createService({ owner: 'nobody' }); setToken('update', false); service.get( 'storage/collections/data/kl_cybertrace_settings/', null, function(err, result) { if (err) { console.error(err); } else { if (result.data.length > 0) { setToken('update', true); setToken('_key', result.data[0]._key); setToken('KTCHost', result.data[0].KTCHost || '127.0.0.1'); setToken('KTCPort', result.data[0].KTCPort || 9999); } } }); // // SPLUNK LAYOUT // $('header').remove(); new LayoutView({"hideChrome": false, "hideSplunkBar": false, "hideAppBar": false}) .render() .getContainerElement() .appendChild($('.dashboard-body')[0]); // // DASHBOARD EDITOR // new Dashboard({ id: 'dashboard', el: $('.dashboard-body'), showTitle: true, editable: true }, {tokens: true}).render(); // // VIEWS: VISUALIZATION ELEMENTS // var element1 = new TableElement({ "id": "element1", "count": 50, "managerid": "search1", "el": $('#element1') }, {tokens: true, tokenNamespace: "submitted"}).render(); element1.on("click", function(e) { if (e.field !== undefined) { e.preventDefault(); var url = TokenUtils.replaceTokenNames("http://tip.kaspersky.com/search?searchString=$click.value$", _.extend(submittedTokenModel.toJSON(), e.data), TokenUtils.getEscaper('url'), TokenUtils.getFilters(mvc.Components)); utils.redirect(url, false, "_blank"); } }); // // VIEWS: FORM INPUTS // var settingsktcaddr = new TextInput({ "id": "settings-ct-host", "searchWhenChanged": false, "default": "127.0.0.1", "value": "$KTCHost$", "el": $('#settings-ct-host') }, {tokens: true}).render(); var settingsktcport = new TextInput({ "id": "settings-ct-port", "searchWhenChanged": false, "default": "9999", "value": "$KTCPort$", "el": $('#settings-ct-port') }, {tokens: true}).render(); var input1 = new HtmlElement({ "id": "input1", "useTokens": true, "el": $('#input1') }, {tokens: true, tokenNamespace: "submitted"}).render(); DashboardController.addReadyDep(input1.contentLoaded()); input1.on("change", function(newValue) { FormUtils.handleValueChange(input1); }); var input2 = new TextInput({ "id": "input2", "searchWhenChanged": true, "default": "", "value": "$indicator$", "el": $('#input2') }, {tokens: true}).render(); input2.on("change", function(newValue) { FormUtils.handleValueChange(input2); }); // // SUBMIT FORM DATA // var submit = new SubmitButton({ id: 'submit', el: $('#search_btn'), text: 'Lookup' }, {tokens: true}).render(); submit.on("submit", function() { var collectionEndpoint, headers, method, record, tokens; tokens = mvc.Components.getInstance('default'); if (tokens.get('KTCHost') === "" ){ alert ("Incorrect value for Kaspersky CyberTrace address"); return; } if (tokens.get('KTCPort') === "" ){ alert ("Incorrect value for Kaspersky CyberTrace port"); return; } record = { KTCHost: tokens.get('KTCHost'), KTCPort: tokens.get('KTCPort') }; /* add/update record */ headers = { 'Content-Type': 'application/json' }; if (tokens.get('update')) { collectionEndpoint = 'storage/collections/data/kl_cybertrace_settings/' + tokens.get('_key'); } else { collectionEndpoint = 'storage/collections/data/kl_cybertrace_settings'; } method = 'POST'; service.request(collectionEndpoint, method, null, null, JSON.stringify(record), headers, null) .done(function(data) { data = JSON.parse(data); if (data._key) { submitTokens(); search1.startSearch(); } else { console.error('no key returned in data', data._key); } }) .fail(function(data) { console.error(data.statusText); statusMessage('error', data.statusText); }); }); // Initialize time tokens to default if (!defaultTokenModel.has('earliest') && !defaultTokenModel.has('latest')) { defaultTokenModel.set({ earliest: '0', latest: '' }); } if (!_.isEmpty(urlTokenModel.toJSON())){ submitTokens(); } // // DASHBOARD READY // DashboardController.ready(); pageLoading = false; } ); // ]]> </script> </body> </html>
Hi everyone, I'm currently working on integrating Kaspersky CyberTrace with Splunk and have encountered a couple of issues I need help with: Converting Indicators Lookup Dashboard: I successful... See more...
Hi everyone, I'm currently working on integrating Kaspersky CyberTrace with Splunk and have encountered a couple of issues I need help with: Converting Indicators Lookup Dashboard: I successfully converted the "Kaspersky CyberTrace Matches" and "Kaspersky CyberTrace Status" dashboards to Dashboard Studio. However, the "Indicators Lookup" dashboard does not have an option for conversion and throws an error when I try to open it: "HTML Dashboards are no longer supported. You can recreate your HTML dashboard using Dashboard Studio." The code for this dashboard is quite extensive. Does anyone have any suggestions or best practices on how to convert it to Dashboard Studio effectively? Data Not Displaying in Dashboards: Even though data is being received from Kaspersky and stored in the Main index, the dashboards are not displaying any information. Has anyone faced similar issues or could provide insight into what might be going wrong here? Any guidance or solutions to these problems would be greatly appreciated. Thanks in advance for your help!
In Distributed Clustered Deployment with SHC - Multisite (M4 / M14) model, is there any additional license required ? Is there any downtime require while connection Site A with Site N with Multisite... See more...
In Distributed Clustered Deployment with SHC - Multisite (M4 / M14) model, is there any additional license required ? Is there any downtime require while connection Site A with Site N with Multisite (M4 / M14)  model ?  
Dear All, Is there any delay option in Splunk multisite M4/M14? Requirement:  Site A is Active site and Site N passive site. Data ingestion from Active site should be in real time and data from sit... See more...
Dear All, Is there any delay option in Splunk multisite M4/M14? Requirement:  Site A is Active site and Site N passive site. Data ingestion from Active site should be in real time and data from site N would be Ingest at 1 AM every day.  Is there any option in mu
It looks like you are trying to find the app.name for the parent_span_id? To avoid using joins, try something like this: index=your_index sourcetype=your_sourcetype | fields trace_id, span_id, paren... See more...
It looks like you are trying to find the app.name for the parent_span_id? To avoid using joins, try something like this: index=your_index sourcetype=your_sourcetype | fields trace_id, span_id, parent_span_id,app.name | rename app.name as current_service | eval join_id=parent_span_id | appendpipe [| rename current_service as parent_service | eval join_id = span_id] | eventstats values(parent_service) as parent_service by join_id trace_id | where isnotnull(current_service) | table trace_id parent_service current_service If this isn't correct, please share some anonymised, but representative raw events and a description of what it is you are trying to do
If you had bucket problems, the error would come from another component Normally with stale fishbucket entries and similar problems you'd simply remove a particular entry from the fishbucket but ... See more...
If you had bucket problems, the error would come from another component Normally with stale fishbucket entries and similar problems you'd simply remove a particular entry from the fishbucket but in this case it looks that the fishbucket database itself is damaged so you probably need to remove whole fishbucket - stop splunkd, remove var/lib/splunk/fishbucket, start splunkd You might want to fiddle with the db first. If I remember correctly (but I wouldn't bet any money on it), it's a berkeleydb so it might be possible to repair it.
Indeed this error is related to ingestion failure.  I just thought the BTree problem is inside the buckets.  To clean up, do I just delete everything in fishbucket?  Reingestion is not a problem, but... See more...
Indeed this error is related to ingestion failure.  I just thought the BTree problem is inside the buckets.  To clean up, do I just delete everything in fishbucket?  Reingestion is not a problem, but I do not want to cause other behavior changes.
Click on the graph to go into Metric Browser... In Metric Browser, right-click on the Metrics to show the REST URL: regards, Terence
This is a tailreader message so it should be about ingestion, not indexed data. You might need to clean fishbucket (of course it will reingest all monitor inputs).
First things first - check splunkd.log for errors. It looks like come communication problems. between nodes. If all else fails, just reinstall the node from scratch and bootstrap it as a SHC member.
Yes. @gcusello is 100% spot-on. I admit it is a bit counterintuitive (especially compared to indexer cluster and manager node) but the deployer is not a part of a search head cluster. It is an auxili... See more...
Yes. @gcusello is 100% spot-on. I admit it is a bit counterintuitive (especially compared to indexer cluster and manager node) but the deployer is not a part of a search head cluster. It is an auxiliary component meant to be used for... well, deploying the configuration to the SHC but apart from that it doesn't take part in any other SHC activity.
Hi experts, For Splunk App for Data Science and Deep Learning is it possible at all to build custom docker image native for M1 or M2 Mac? Currently available ones on Docker hub are for x86 architect... See more...
Hi experts, For Splunk App for Data Science and Deep Learning is it possible at all to build custom docker image native for M1 or M2 Mac? Currently available ones on Docker hub are for x86 architecture. Running them in M1 Docker environment has been problematic. All notebooks that use transformers and keras crash the kernel upon import.  Also, if possible to leverage native M1and/or M2 GPU will also be useful. Any plan for native docker image build supprot for M1 and/or M2? Thanks, MCW
Hi, I am trying to install Splunk SOAR (On-premises) as an unprivileged user on CentOS 7.9 and when I am running ./soar-prepare-system script I get the following error message: ./usr/python39/bin/p... See more...
Hi, I am trying to install Splunk SOAR (On-premises) as an unprivileged user on CentOS 7.9 and when I am running ./soar-prepare-system script I get the following error message: ./usr/python39/bin/python3.9: /lib64/libc.so.6: version `GLIBC_2.25' not found (required by /opt/splunk-soar/usr/python39/bin/../lib/libpython3.9.so.1.0) ./usr/python39/bin/python3.9: /lib64/libc.so.6: version `GLIBC_2.26' not found (required by /opt/splunk-soar/usr/python39/bin/../lib/libpython3.9.so.1.0) ./usr/python39/bin/python3.9: /lib64/libc.so.6: version `GLIBC_2.27' not found (required by /opt/splunk-soar/usr/python39/bin/../lib/libpython3.9.so.1.0) ./usr/python39/bin/python3.9: /lib64/libc.so.6: version `GLIBC_2.28' not found (required by /opt/splunk-soar/usr/python39/bin/../lib/libpython3.9.so.1.0)  I tried to install it on CentOS 8 and got another error said Unable to read CentOS/RHEL version from /etc/redhat-release.  Any sugestions?
Hi @jenkinsta , your solution surely work, but you could also try:   index=data | lookup adexport.csv UserName AS UserId OUTPUT Title | table _time UserId Title   Ciao. Giuseppe
Hi @adoumbia , for my knowedge, you can run this command only on Search Heads, not on Deployer, because it isn't a component of the Cluster, it's only the system that deployes apps to the Cluster, b... See more...
Hi @adoumbia , for my knowedge, you can run this command only on Search Heads, not on Deployer, because it isn't a component of the Cluster, it's only the system that deployes apps to the Cluster, but after deployment, the Cluster runs by itself. Ciao. Giuseppe
something is not clear because it does not return any rows now: (...) | stats values(*) as * by joiner | where ctx_ecid=ecid_d | eval _time=min(_time) | timechart span=5min avg(time_taken) ... See more...
something is not clear because it does not return any rows now: (...) | stats values(*) as * by joiner | where ctx_ecid=ecid_d | eval _time=min(_time) | timechart span=5min avg(time_taken) without the last line with timechart it returns all expected rows, with it - none     and one more question . Right now I do stats(*) as * by joiner  but this returns all fields from both indexes. I suppose it cost a lot to transfer such big amount of data especially each my index has 10-20 fields and thousands records. In fact I use only 2-3 fields from each index so I tried to something like : | stats values(field1) as field1, values(field2) as field2, values(field3) as field3 by joiner (...) but it does not return rows    Why ?   how  to modify it to returns only fields I need?  
Hello I am building a new search head cluster, the cluster work fine, however the deployer is throwing error whenever I run "/bin/splunk show shcluster-status" on the deployer Here is error I am ... See more...
Hello I am building a new search head cluster, the cluster work fine, however the deployer is throwing error whenever I run "/bin/splunk show shcluster-status" on the deployer Here is error I am getting "Encountered some errors while trying to obtain shcluster status. Search Head Clustering is not enabled on this node. REST endpoint is not available" my server.conf look like the following [shclustering] pass4SymmKey = xxxxxxxxx   Your input  be appreciated
I am having the error I tried your solution, unfortunately it does not work.
Hi @Ryan.Paredez , Can you please check for the Account [redacted] ^ Post edited by @Ryan.Paredez to remove email from the post. For security and privacy reasons, if you need to share PII, do it p... See more...
Hi @Ryan.Paredez , Can you please check for the Account [redacted] ^ Post edited by @Ryan.Paredez to remove email from the post. For security and privacy reasons, if you need to share PII, do it privately using the Community Private Message feature.