All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

can you paste the status of this command $SPLUNK_HOME$/bin/splunk show kvstore-status from indexer.
Hi All, Need some help with SPL query to compare the data from same host on 2 different dates and give me a status as "found" or "not found" . Status = Found if it finds the notepad is still install... See more...
Hi All, Need some help with SPL query to compare the data from same host on 2 different dates and give me a status as "found" or "not found" . Status = Found if it finds the notepad is still installed on same Path on the same machine else not found.   so far I have created a kvstore lookup to store the data but cannot come up with logic to compare the data I have added sample data below. All help is appreciated.   HostNameExeVersion Path ProductName RunDate sourcetype xxxxx null C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.3996_none_e397b63725671b86\f\notepad.exe null 2024-06-13 07:41:37 feed xxxxx null C:\Windows\WinSxS\amd64_microsoft-windows-notepad_31bf3856ad364e35_10.0.19041.3996_none_e397b63725671b86\r\notepad.exe null 2024-06-14 07:41:37 feed
Hi all I'm trying to count the number of selected items in a Multiselect control. I've tried eval and stats but no luck with either   | eval selected_total = count($element$)     | stats cou... See more...
Hi all I'm trying to count the number of selected items in a Multiselect control. I've tried eval and stats but no luck with either   | eval selected_total = count($element$)     | stats count($element$) as selected_total       Thanks
HI @uagraw01  Try this: Data display > Data value display: All.  
I have an integration between Opsgenie and Splunk in order to create Opsgenie alerts whenever some Splunk alerts are created. The thing is I've been having some issues with one of the dynamic proper... See more...
I have an integration between Opsgenie and Splunk in order to create Opsgenie alerts whenever some Splunk alerts are created. The thing is I've been having some issues with one of the dynamic properties available for such integration, the {{results_link}}. This link is such a useful asset since it allows devs to be forwarded to the specific search that raised the alert in Splunk. However, we've been seeing some weird behaviour with these results link. For some reason, they seem to stop working at some point. Here's an example of an alert that was generated in Splunk and hence created an alert in Opsgenie through the integration, which had a field with the {{results_link}} property added. The following screenshots are for the exact same link at different times (yesterday afternoon and this morning) where you can see it was a valid query and then it isn't.        We need help understanding why this link stops working at some point and how could we avoid that behaviour. Thanks
trial
Hi all,, working with the "Crypto and Encoding Add-On" from splunkBase, I can't manage to make it work on my environment.   The "hash" command specifically fails when using the "salt" option, like... See more...
Hi all,, working with the "Crypto and Encoding Add-On" from splunkBase, I can't manage to make it work on my environment.   The "hash" command specifically fails when using the "salt" option, like the following: "| hash algorithm=sha256 salt=test_salt test_field"   When removing the salt option, this works just fine, but I really need to add the salt to it for my use case.   The returned error is the following: ValueError at "/cs/splunk/search/etc/apps/TA-cryptosuite/bin/hash.py", line 122 : Specified salt file "test_salt" does not exist. Please check the spelling of your specified salt name or your configured salts.   I created the entry in the "Key and Salt Management" dashboard, but with no success. I wonder what it could be, since roles and accesses to the app are all open.   Any help here would be really appreciated. Thanks!   @hRun 
Hi @ITWhisperer , Please find below the cut down version of the code:   <init> <set token="showExpandLink5">true</set> </init> <row depends="$alwaysHideCSSStyleOverride$"> <panel> <html> <styl... See more...
Hi @ITWhisperer , Please find below the cut down version of the code:   <init> <set token="showExpandLink5">true</set> </init> <row depends="$alwaysHideCSSStyleOverride$"> <panel> <html> <style> div[id^="linkCollapse"], div[id^="linkExpand"]{ width: 32px !important; float: right; } div[id^="linkCollapse"] button, div[id^="linkExpand"] button{ flex-grow: 0; border-radius: 50%; border-width: thick; border-color: lightgrey; border-style: inset; width: 32px; padding: 0px; } div[id^="linkCollapse"] label, div[id^="linkExpand"] label{ display:none; } div[id^="panel"].fieldset{ padding: 0px; } </style> </html> </panel> </row> <row> <panel> <title>Chart title</title> <input id="linkCollapse5" type="link" token="tokLinkCollapse5" searchWhenChanged="true" depends="$showCollapseLink5$"> <label></label> <choice value="collapse">-</choice> <change> <condition value="collapse"> <unset token="showCollapseLink5"></unset> <set token="showExpandLink5">true</set> <unset token="form.tokLinkCollapse5"></unset> </condition> </change> </input> <input id="linkExpand5" type="link" token="tokLinkExpand5" searchWhenChanged="true" depends="$showExpandLink5$"> <label></label> <choice value="expand">+</choice> <change> <condition value="expand"> <set token="showCollapseLink5">true</set> <unset token="showExpandLink5"></unset> <unset token="form.tokLinkExpand5"></unset> </condition> </change> </input> <table rejects="$showExpandLink5$"> <search> <query> My query </query> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row> It occurs in both larger and small dashboards but not often. It occurs mostly for fresh browser load. It occurs with different browsers, I tried with Chrome and Edge. Do you have any suggestions on this?
Hello, I installed on Splunk IronStream Data Monitor to receive Json data created by an IBM i server and transmitted by python code. I can also send the data in syslog format. I searched but I didn... See more...
Hello, I installed on Splunk IronStream Data Monitor to receive Json data created by an IBM i server and transmitted by python code. I can also send the data in syslog format. I searched but I didn’t find documentation on how to set it on Splunk to receive the data. I would also like to know if there are specific column names for the SIEM to understand the data received. Example in my json file the Remote_IP column is the area that retrieves the attacker’s ip address. thanks for reading.
Hello Splunkers! I want a below visualization as per attached screenshot. I have mentioned complete SPL also. Please let me know how to achieve it.   index=ABC sourcetype="st... See more...
Hello Splunkers! I want a below visualization as per attached screenshot. I have mentioned complete SPL also. Please let me know how to achieve it.   index=ABC sourcetype="stalogmessage" | fields _raw | spath output=statistical_element "StaLogMessage.StatisticalElement" | spath output=statistical_subject "StaLogMessage.StatisticalElement.StatisticalSubject" | fields - _raw | spath input=statistical_element output=statistical_item "StatisticalItem" | spath input=statistical_item output=StatisticalId "StatisticalId" | spath input=statistical_item output=Value "Value" | spath input=statistical_subject output=SubjectType "SubjectType" | mvexpand SubjectType | where SubjectType="ORDER_RECIPE" | lookup detail_lfl.csv StatisticalID as StatisticalId SubjectType as SubjectType OUTPUTNEW SymbolicName Unit | mvexpand Unit | search Unit="%" | mvexpand SymbolicName | where SymbolicName="UTILISATION" | mvexpand Value | mvexpand StatisticalId | table StatisticalId Value Unit  
worked like a champ - note it is a restart required.  Debug Refresh (I tried a short cut) did not work.  There were several spots in the files that needed the change. Thanks!
Hi @AL3Z , see here https://www.splunk.com/en_us/training/course-catalog.html?filters=filterGroup4SplunkEnterpriseSecurity Ciao. Giuseppe
Hi, I want to learn the Splunk Enterprise Security from scratch could anyone pls share the links? Thanks.
Hi @ashwinve1385 , I don't know because I usually use Victoria Experience. Ciao. Giuseppe
Hi @ss2 , they aren't confused, they usually use a partner network that can reach more customers than themselves, it's a winning startegy! let us know if we can help you more, or, please, accept on... See more...
Hi @ss2 , they aren't confused, they usually use a partner network that can reach more customers than themselves, it's a winning startegy! let us know if we can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Still no answer from Devinfo...
This is how I added a wildcard to a dropdown list Query for the dynamic options | makeresults | eval type="*"| append [ search index=blah rest of search ]  
We changed our approach, generate a different structure in Splunk using stats and thus we do not need to read the raw events anymore.  
Hi @Splunk_sid .. We may need more details from your side.  Your current search query, what table format you are looking for, ...
@inventsekar There are multiple csv files from which data gets loaded into Splunk. So, the _raw will have column headers and other rows for each file. All I need is to convert back into rows and colu... See more...
@inventsekar There are multiple csv files from which data gets loaded into Splunk. So, the _raw will have column headers and other rows for each file. All I need is to convert back into rows and columns format just like what we see in csv. "table" command will not serve the purpose for my scenario.