All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

HFs process data transparently so there's no way to track the flow of events.  Many customers work around that by having the HF add a field to every event where the value of the field is the HF's name.
Are you using the F5 BIG-IP platform? If so, the Splunk Add-on for F5 BIG-IP seems like the right direction. https://splunkbase.splunk.com/app/2680 Documentation, including installation and data fo... See more...
Are you using the F5 BIG-IP platform? If so, the Splunk Add-on for F5 BIG-IP seems like the right direction. https://splunkbase.splunk.com/app/2680 Documentation, including installation and data forwarding instructions, can be found here: https://docs.splunk.com/Documentation/AddOns/released/F5BIGIP/About
Does it appear when you change the search results to the "visualization" tab,  then switch the visualization to "Line Chart"?   Alternatively could you try: <your search that extracts the fields> ... See more...
Does it appear when you change the search results to the "visualization" tab,  then switch the visualization to "Line Chart"?   Alternatively could you try: <your search that extracts the fields> | timechart mode(target) as target mode(state) as state mode(cavity) as cavity
There is a minimum basic instance specification for a production-grade Splunk Enterprise deployment in this page: https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Referencehardware E.g. ... See more...
There is a minimum basic instance specification for a production-grade Splunk Enterprise deployment in this page: https://docs.splunk.com/Documentation/Splunk/9.2.1/Capacity/Referencehardware E.g. An x86 64-bit chip architecture 12 physical CPU cores, or 24 vCPU at 2 GHz or greater speed per core. 12 GB RAM. A 1 Gb Ethernet NIC, optional second NIC for a management network. A 64-bit Linux or Windows distribution. See Supported Operating Systems in the Installation Manual. If you are just doing testing and can tolerate a lower performance, you can use lower specs. For estimating storage requirements, it would depend on how many days of retention you would keep for your <100MB/day, and how compressible your log data is. You could throw a couple tens of gigabytes into it and see how the disk space taken by data grows.
I have accomplished the Rex using field extractor but as for plotting the values this is not of much help, id like to plot the values found with the associated timestamp of the event into a line c... See more...
I have accomplished the Rex using field extractor but as for plotting the values this is not of much help, id like to plot the values found with the associated timestamp of the event into a line chart
Hello, Hope this message finds you all well. I have moved to the role of Splunk admin recently and I need to install Splunk enterprise package (single instance) for lab purpose. Further, splunk ent... See more...
Hello, Hope this message finds you all well. I have moved to the role of Splunk admin recently and I need to install Splunk enterprise package (single instance) for lab purpose. Further, splunk enterprise security and Splunk soar app will be installed on the same server as well. The lab is just for the demo and some RND purpose and the daily ingestion will be less than 100 mb.  I have the license and the Enterprise security package from my previous lab setup. Needed some suggestion with what vCPU, storage and RAM I should proceed with.   Thanks in advance
| rex "target: Temp\((?<target>\d+)\), state: Temp\((?<state>\d+)\), cavity: (?<cavity>\d+)"  
I would like to extract the Message, Timestamp, and serial fields Then I would like to plot the target: Temp(315600), state: Temp(315600), cavity: 178900  Each on individual plots based on the time... See more...
I would like to extract the Message, Timestamp, and serial fields Then I would like to plot the target: Temp(315600), state: Temp(315600), cavity: 178900  Each on individual plots based on the time series I take it I will have to use a rex command to extract the bolded values from the message field. How would I go about this? {"bootcount":10,"device_id":"71ff6686fa5347828e3668e59249d0be","environment":"prod_walker", "event_source":"appliance","event_type":"GENERIC","location": {"city":"","country":"XXX","latitude":XXX,"longitude":XXX,"state":""}, "log_level":"info","message":"hardware_controller: TestState { target: Temp(315600), state: Temp(315600), cavity: 178900, fuel: None, shutdown: None, errors: test() }", "model_number":"XXXX","sequence":1411,"serial":"XXXX","software_version":"2.2.2.7641","ticks":158236,"timestamp":1717972790}  
Hello, I hope all is well. Need your help to monitor the F5 Interface utilization throughput (performance Monitor). Any Idea! @community  #performanceMonitor
Hello, as questions. I'd like to ask if it is possible to convert Elasticsearch machine learning anomaly detector model to Splunk machine learning toolkit model?
Hi, I am runnig Splunk 9.0.9 with Splunk Add-on for Sysmon 4.0.1 and Sysmon Security Monitoring App for Splunk 4.0.13. I configured the alerts to be sent by email and I am receiving many of them (f... See more...
Hi, I am runnig Splunk 9.0.9 with Splunk Add-on for Sysmon 4.0.1 and Sysmon Security Monitoring App for Splunk 4.0.13. I configured the alerts to be sent by email and I am receiving many of them (false positives thanks god). At this point I have two issues: - The field "Body" is always empty.   Reviewing the macros included in the app, they seem to be created for the non-XML sysmon events. I changed the inputs.conf from the TA-Windows-Sysmon addon without success. The events continue flowing in in XML format.     [WinEventLog://Microsoft-Windows-Sysmon/Operational] disabled = false renderXml = 0 source = WinEventLog:Microsoft-Windows-Sysmon/Operational     Did anyone face the same issue? how did you solve it? - I also would like to add an exception list of processes to reduce the amount of alerts, whitelisting some well known windows executables or tools. have anyone done that? could you tell me the approach you took? thanks a lot. I am checking other alternatives like Cyences https://splunkbase.splunk.com/app/5351. any opinion?
where the last 4 digits contain any number from 0 to 9
Thanks for the reply. I actually need a 7 digit format like " 555-XXXX". 
Hi @Scott.Lucier, I spoke with a PMM on my team and this is what they shared with me.  In my opinion, the better way is to create an action suppression. You would need three: one for 5 PM to midn... See more...
Hi @Scott.Lucier, I spoke with a PMM on my team and this is what they shared with me.  In my opinion, the better way is to create an action suppression. You would need three: one for 5 PM to midnight M-F, one from 21:00 AM to 6 AM M-F, and a third for all day Sat-Sunday. Action suppression is a feature that is meant for this purpose, and can be used globally for an application or environment, for all HRs, so you do not have to re-create each HR.
The random function only returns an integer and there is no way to force it to include hyphens in the output. Since the function may return an integer too small for a phone number, I suggest using m... See more...
The random function only returns an integer and there is no way to force it to include hyphens in the output. Since the function may return an integer too small for a phone number, I suggest using multiple calls to build it.  Here's an example using the North American Numbering Plan.     | eval PhoneNumber = (random() % 1000)."-".(random() % 1000)."-".(random() % 10000)     Additional massaging may be needed if you want more realistic phone numbers (no "001" for an area code, for example).
We are already ingesting Salesforce data via the Salesforce for Splunk Add on. I have a requirement to monitor when an admin permission set has been assigned to a user and what changes that user mak... See more...
We are already ingesting Salesforce data via the Salesforce for Splunk Add on. I have a requirement to monitor when an admin permission set has been assigned to a user and what changes that user makes. Has anyone fulfilled a similar requirement? So far i have found a list of the following objects that could provide the information i need to see when a permission set is assigned to a user (https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_permissionsetassignment.htm) but not sure how to track what changes that admin user makes.   Can you help?
It depends on the format of phone number that you want and any range constraints on the number. Essentially, random() returns a "random" potentially large integer. This is usually reduced in range b... See more...
It depends on the format of phone number that you want and any range constraints on the number. Essentially, random() returns a "random" potentially large integer. This is usually reduced in range by using a modulus operation. e.g.  | eval number=random() % 1000000 This will give you an integer below a million. Alternatively, you could randomise parts of the number e.g. | eval number = "1-".printf("%0.3d", random() % 1000)."-".printf("%04d", random() %10000)
In fully managed Splunk Cloud context, we don't have access to the file system, so we can't readily edit the custom.dat file.  This is a plea to the developers:  Could you please update this app to a... See more...
In fully managed Splunk Cloud context, we don't have access to the file system, so we can't readily edit the custom.dat file.  This is a plea to the developers:  Could you please update this app to address this need?  Thanks!
How do I format a returned int into a phone number with the hyphen using the eval random function.    What I have so far:  | eval PhoneNumber = (random() )
Guys thanks for valuables hints and posts. This time I managed to do it by myself.  here is my new, working query: index="odp" OR index="oap" txt2="ibum_p" | eval c_e = mvindex(split(c_e,","... See more...
Guys thanks for valuables hints and posts. This time I managed to do it by myself.  here is my new, working query: index="odp" OR index="oap" txt2="ibum_p" | eval c_e = mvindex(split(c_e,","),0) | eval c_e=coalesce(c_e,e) | stats values(*) by c_e So critical in my case was renaming field.  Instead of rename I use coalesce and it helped.  Stats now returns values from both indexes. K.