All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@NanSplk01- I would suggest to assign a custom sourcetype, ex. my:pi:data [my:pi:data] SHOULD_LINEMERGE = false LINE_BREAKER = [\}\[](,?[\s\n]*)\{[\s\n]*"Parameters" TIME_PREFIX = Date\( MAX_TIMESTA... See more...
@NanSplk01- I would suggest to assign a custom sourcetype, ex. my:pi:data [my:pi:data] SHOULD_LINEMERGE = false LINE_BREAKER = [\}\[](,?[\s\n]*)\{[\s\n]*"Parameters" TIME_PREFIX = Date\( MAX_TIMESTAMP_LOOKAHEAD = 128 TIME_FORMAT = %s%3N TRUNCATE = 999999   This above props.conf config on the Indexers or Heavy Forwarder (first full Splunk instance) should work based on the data that you have provided.   I hope this helps!!!
Hi @Splunk_sid  >>> Note- We are not supposed to add csv files directly into the Splunk via "Add inputs" option. so you have onboarded the CSV file or not yet?   if you have onboarded the CSV fil... See more...
Hi @Splunk_sid  >>> Note- We are not supposed to add csv files directly into the Splunk via "Add inputs" option. so you have onboarded the CSV file or not yet?   if you have onboarded the CSV file, then, just use the table command..  index=yourCSVindex source=someSource sourcetype=some | table *  
Using SplunkJs, by clicking button, token value is getting set but not passing to drilldown panel searches. Can you please help on why its not working? Steps: 1. Create Splunk js to enable toke... See more...
Using SplunkJs, by clicking button, token value is getting set but not passing to drilldown panel searches. Can you please help on why its not working? Steps: 1. Create Splunk js to enable token on click of a button 2. In dashboard, add a HTML button with required details (please refer the code attached) 3. Create a panel and update search with the token_name Observation: Token value is getting set but not sure if the value is passed to down panels or panel is not identifying the token value that has been set by clicking on button   Source code: <dashboard script="start_tracking_1.js" version="1.1"> <label>test_dashboard 3</label> <row id="tab_menu"> <panel> <title>$clickedButtonValue$</title> <html> <button type="button" class="btn button_tab" id="StartTracking" data-value="value1"> <h2 style="text-align: center;"> <span style="color: #000000;"> <strong>Start Tracking</strong> </span> </h2> </button> </html> </panel> </row> <row> <panel> <table> <title>Drilldown Panel</title> <search> <query>index=_internal source="$clickedButtonValue$" | head 10</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </table> </panel> </row> </dashboard>   Splunk JS: require([ 'splunkjs/mvc', 'splunkjs/mvc/simplexml/ready!', 'jquery' ], function(mvc, ready, $) { var defaultTokenModel = mvc.Components.getInstance('default'); // Add click event listener to button with id 'StartTracking' $('#StartTracking').on('click', function() { var value = $(this).data('value'); // Correct jQuery method to get data-value console.log('Button clicked, data-value: ' + value); defaultTokenModel.set('clickedButtonValue', value); // Set token value }); });
Hi Team, We have onboarded csv data into Splunk and each row in csv is ingested into _raw field . I need to bring this back to tabular format and run query against it. Kindly assist. Note- We are n... See more...
Hi Team, We have onboarded csv data into Splunk and each row in csv is ingested into _raw field . I need to bring this back to tabular format and run query against it. Kindly assist. Note- We are not supposed to add csv files directly into the Splunk via "Add inputs" option. Regards, Sid
Hi @ss2 if you are looking for Splunk Partner, pls let me know. 
Hi @ww9rivers .. i hope you have the problem with the Splunk App (Content Manager App for Splunk) installation (not with the Splunk installation). Are you using Splunk on linux or windows or mac.  ... See more...
Hi @ww9rivers .. i hope you have the problem with the Splunk App (Content Manager App for Splunk) installation (not with the Splunk installation). Are you using Splunk on linux or windows or mac.  may we know how did you install that app.. 
One possible solution would be to use a lookup (status_lookup) to keep track of the last known state.  This solution adds a host field so it can work for more than one host. Step 1: Create a KVSt... See more...
One possible solution would be to use a lookup (status_lookup) to keep track of the last known state.  This solution adds a host field so it can work for more than one host. Step 1: Create a KVStore (or file based) lookup with the fields "host", and "current_status" (Note: the solution below will also add an alert message field, but that 's more of a side effect.) Step 2:  Add the "host" group by clause, and lookup commands to your SPL: index=xyz sourcetype=xyz host=* | eval RespTime=time_taken/1000 | eval RespTime = round(RespTime,2) | bucket _time span=2m | stats avg(RespTime) as Average perc80(RespTime) as "Percentile_80" by _time host | eval Current_Server_Status=if(Percentile_80>=5, "Server Down", "Server Up") | lookup status_lookup host | eval alert=case(Current_Server_Status="Server Down",$host$+" is down", (Current_Server_Status="Server Up" AND Server_Status="Server Down"),$host$+" is back up") | rename Current_Server_Status AS Server_Status | table host Server_Status alert | outputlookup status_lookup You'll end up with a serach that outputs something like this (and updates the lookup for the next alert run): +---------------+--------------+------+ | Server_Status | alert | host | +---------------+--------------+------+ | Server Down | a is down | a | | Server Up | b is back up | b | | Server Up | | c | | Server Down | d is down | d | +---------------+--------------+------+ Note that host c has no alert message because it went from "up" to "up" with the sample data I used.
This timeline viz https://splunkbase.splunk.com/app/4370 does support a fixed top and/or bottom x-axis timeline. Not sure how much mileage you will get with it - how many rows do you have in your t... See more...
This timeline viz https://splunkbase.splunk.com/app/4370 does support a fixed top and/or bottom x-axis timeline. Not sure how much mileage you will get with it - how many rows do you have in your table?
Your data has a lower case 'a' for atmtransaction and your like statement as 'A' If you want to use like() then add in lower(), i.e. | eval Status=if(like(lower(message),"%work flow passed | for en... See more...
Your data has a lower case 'a' for atmtransaction and your like statement as 'A' If you want to use like() then add in lower(), i.e. | eval Status=if(like(lower(message),"%work flow passed | for endpoint atmtransaction%"),"SUCCESS", "FAIL") NB: match(message, regex) is an alternative to like, so you only need to match the part you are interested in, not the entire string, the match equivalent would be | eval Status=if(match(message,"(?i)work flow passed \| for endpoint atmtransaction"),"SUCCESS", "FAIL")  
The issue is actually with the "savedsearch" command. The document states: When the savedsearch command runs a saved search, the command always applies the permissions associated with the role of th... See more...
The issue is actually with the "savedsearch" command. The document states: When the savedsearch command runs a saved search, the command always applies the permissions associated with the role of the person running the savedsearch command to the search. The savedsearch command never applies the permissions associated with the role of the person who created and owns the search to the search. This happens even when a saved search has been set up to run as the report owner. That makes me wonder, however, when is the "run as owner" setting actually applies the owner's permission when the search is run? Can another user embed the search in a dashboard? Probably not with the "savedsearch" command either. So what is the use case for that feature?
Under that subject line, the detail says: You do not have necessary authorization to access and use this application : App Content Manager. Access to all of its features has been restricted. If y... See more...
Under that subject line, the detail says: You do not have necessary authorization to access and use this application : App Content Manager. Access to all of its features has been restricted. If you believe this is in error, or if you require access for a specific reason, please reach out to your Splunk administrator for further assistance. But I am the Splunk Admin. This app is quite new and not supported by Splunk. So I am trying to get the authors' insights or anyone who has experiences with it. Much appreciated!
Thanks for the help Paul!  I have tried your tips:  index=*app_pcf cf_app_name="mddr-batch-integration-flow" msg.message="*Work Flow Passed | for endpoint Atmtransaction*" | rename msg.message as me... See more...
Thanks for the help Paul!  I have tried your tips:  index=*app_pcf cf_app_name="mddr-batch-integration-flow" msg.message="*Work Flow Passed | for endpoint Atmtransaction*" | rename msg.message as message | eval Status=if(like(message,"%Work Flow Passed | for endpoint Atmtransaction%"),"SUCCESS", "FAIL") | table _time, message, Status And now I have added the correct message (workflow Passed) however the Status is still showing as FAIL...   
I have a customer that want to disable alerting Mon-Fri 5PM - 6AM and All day Sat-Sun. I appears that I can only have one schedule per Health Rule.   Is it possible to have multiple schedules per H... See more...
I have a customer that want to disable alerting Mon-Fri 5PM - 6AM and All day Sat-Sun. I appears that I can only have one schedule per Health Rule.   Is it possible to have multiple schedules per Health Rule? Thanks, S/
Correct. This is also known as the De Morgan's Law of Union Or De Morgan's Law of Intersection
the missing role is admin_all_objects
I'm a bit new to Splunk; apologies if I miss anything obvious. I'm looking to selectively block events meeting a certain criteria from being indexed.  Here's the current setup: Splunk Universal Fo... See more...
I'm a bit new to Splunk; apologies if I miss anything obvious. I'm looking to selectively block events meeting a certain criteria from being indexed.  Here's the current setup: Splunk Universal Forwarder 9.1.4.0 Windows Server 2019 And the conf: & 'C:\Program Files\SplunkUniversalForwarder\bin\btool.exe' inputs list ... [WinEventLog://Security] blacklist1 = REDACTED blacklist2 = EventCode="4688" Message="New Process Name: (?i)C:\\Program Files\\Splunk(?:UniversalForwarder)?\\bin\\(?:btool|splunkd|splunk|splunk-(?:MonitorNoHandle|admon|netmon|perfmon|powershell|regmon|winevtlog|winhostinfo|winprintmon|wmi)).exe" blacklist3 = REDACTED disabled = 0 evt_dc_name = evt_dns_name = evt_resolve_ad_obj = 0 host = REDACTED index = REDACTED interval = 60 ...   Now here's what I see: No errors around processing this blacklist (if I use an invalid regex, it grumbles) So many splunk process events.  So many. Not clear on why this blacklist is not working.  Any suggestions? In Splunk, if I show source for the log, I get this: 06/18/2024 01:49:56 PM LogName=Security EventCode=4688 EventType=0 ComputerName=REDACTED SourceName=Microsoft Windows security auditing. Type=Information RecordNumber=3063451653 Keywords=Audit Success TaskCategory=Process Creation OpCode=Info Message=A new process has been created. Creator Subject: Security ID: S-1-5-18 Account Name: REDACTED Account Domain: REDACTED Logon ID: 0x3E7 Target Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x1e4c New Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe Token Elevation Type: %%1936 Mandatory Label: S-1-16-16384 Creator Process ID: 0x35e4 Creator Process Name: C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe Process Command Line: "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2 Token Elevation Type indicates the type of token that was assigned to the new process in accordance with User Account Control policy. Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account or a service account. Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.   And finally, if I match that source, to the regex string, it matches, which... should that not mean the event would be blacklisted?  Is there any debug level logs / tooling I should check that might reveal what this is actually doing/not doing?  It seems like it should "just work", but, again, I am quite new with Splunk. Thanks for any help, and apologies if this is something obvious that I have missed!
Thank you for the response, @gcusello. I'll give it a try and see how it goes. It's strange that they make it so hard/confusing to buy their product!  
[ { "Parameters": null, "ID": 2185, "Category": null, "OriginatingHost": null, "OriginatingOSUser": null, "OriginatingPIUser": null, "ProcessID": 5300, "Priority": 10, "ProcessHost": null, ... See more...
[ { "Parameters": null, "ID": 2185, "Category": null, "OriginatingHost": null, "OriginatingOSUser": null, "OriginatingPIUser": null, "ProcessID": 5300, "Priority": 10, "ProcessHost": null, "ProcessOSUser": "SYSTEM", "ProcessPIUser": null, "Source1": "piarcset", "Source2": "Historical", "Source3": null, "SplunkTime": "1718122575.10669", "Severity": "Warning" } ] "TimeStamp": "\/Date(1718122575106)\/", "Message": "User query failed: Connection ID: 55, User: piadmin, User ID: 1, Point ID: 247000, Type: summary, Start: 11-Jun-24 12:14:45, End: 11-Jun-24 12:16:15, Mode: 5, Status: [-11059] No Good Data For Calculation", "ProgramName": "piarchss", "Category": null, "OriginatingHost": null, "OriginatingOSUser": null, "OriginatingPIUser": null, "ProcessID": 5300, "Priority": 10, "ProcessHost": null, "ProcessOSUser": "SYSTEM", "ProcessPIUser": null, "Source1": "piarcset", "Source2": "Historical", "Source3": null, "SplunkTime": "1718122570.13029", "Severity": "Warning" }, { "Parameters": null, "ID": 2185, "TimeStamp": "\/Date(1718122570130)\/", "Message": "User query failed: Connection ID: 55, User: piadmin, User ID: 1, Point ID: 247000, Type: summary, Start: 11-Jun-24 12:14:40, End: 11-Jun-24 12:16:10, Mode: 5, Status: [-11059] No Good Data For Calculation", "ProgramName": "piarchss", "Category": null, "OriginatingHost": null, "OriginatingOSUser": null, "OriginatingPIUser": null, "ProcessID": 5300, "Priority": 10, "ProcessHost": null, "ProcessOSUser": "SYSTEM", "ProcessPIUser": null, "Source1": "piarcset", "Source2": "Historical", "Source3": null, "SplunkTime": "1718122565.16875", "Severity": "Warning" }, { "Parameters": null, "ID": 2185, "TimeStamp": "\/Date(1718122565168)\/", "Message": "User query failed: Connection ID: 55, User: piadmin, User ID: 1, Point ID: 247000, Type: summary, Start: 11-Jun-24 12:14:35, End: 11-Jun-24 12:16:05, Mode: 5, Status: [-11059] No Good Data For Calculation", "ProgramName": "piarchss", "Category": null, "OriginatingHost": null, "OriginatingOSUser": null, "OriginatingPIUser": null, "ProcessID": 5300, "Priority": 10, "ProcessHost": null, "ProcessOSUser": "SYSTEM", "ProcessPIUser": null, "Source1": "piarcset", "Source2": "Historical", "Source3": null, "SplunkTime": "1718122564.42661", "Severity": "Warning" }, { "Parameters": null, "ID": 2185, "TimeStamp": "\/Date(1718122564426)\/", "Message": "User query failed: Connection ID: 55, User: piadmin, User ID: 1, Point ID: 247000, Type: summary, Start: 11-Jun-24 12:14:34, End: 11-Jun-24 12:16:04, Mode: 5, Status: [-11059] No Good Data For Calculation", "ProgramName": "piarchss", "Category": null, "OriginatingHost": null, "OriginatingOSUser": null, "OriginatingPIUser": null, "ProcessID": 5300, "Priority": 10, "ProcessHost": null, "ProcessOSUser": "SYSTEM", "ProcessPIUser": null, "Source1": "piarcset", "Source2": "Historical", "Source3": null, "SplunkTime": "1718122555.14693", "Severity": "Warning" }, { "Parameters": null, "ID": 2185, "TimeStamp": "\/Date(1718122555146)\/", "Message": "User query failed: Connection ID: 55, User: piadmin, User ID: 1, Point ID: 247000, Type: summary, Start: 11-Jun-24 12:14:25, End: 11-Jun-24 12:15:55, Mode: 5, Status: [-11059] No Good Data For Calculation", "ProgramName": "piarchss", "Category": null, "OriginatingHost": null, "OriginatingOSUser": null, "OriginatingPIUser": null, "ProcessID": 5300, "Priority": 10, "ProcessHost": null, "ProcessOSUser": "SYSTEM", "ProcessPIUser": null, "Source1": "piarcset", "Source2": "Historical", "Source3": null, "SplunkTime": "1718122550.12819", "Severity": "Warning" },
@robertlynch2020- As per the App documentation, there is no direct configuration parameter as of today (2024-06-18) to make that change. * https://docs.splunk.com/Documentation/Timeline/1.6.2/Timeli... See more...
@robertlynch2020- As per the App documentation, there is no direct configuration parameter as of today (2024-06-18) to make that change. * https://docs.splunk.com/Documentation/Timeline/1.6.2/TimelineViz/TimelineXML   I hope this helps!!!
Please provide multiple _raw events as raw, so community can help you write Line breaking configuration.