All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

No, outer result is not important as i am looking to create pass/fail charts with the inner results of each corresponding test  
I have UFs installed on some sql servers that forward certain events (according to eventID) to my Splunk.  I have created a search query to parse out the data need to make a nice table. However, ide... See more...
I have UFs installed on some sql servers that forward certain events (according to eventID) to my Splunk.  I have created a search query to parse out the data need to make a nice table. However, ideally I'd like to do this at ingest time instead of at search.  I was told by my manager to research props.conf and transforms.conf and here I am Not sure if that is the proper route or if there are other suggestions. Thank you.    index="wineventlog" | rex field=EventData_Xml (server_principal_name:(?<server_principal_name>\S+)) | rex field=EventData_Xml (server_instance_name:(?<server_instance_name>\S+)) | rex field=EventData_Xml (action_id:(?<action_id>\S+)) | rex field=EventData_Xml (succeeded:(?<succeeded>\S+)) | table _time, action_id, succeeded, server_principal_name, server_instance_name
Are eventStartsFrom and eventEndsAt both set in the events you want to retrieve or are they in separate but correlated events?
Splunk Enterprise 9.0.6 and building a summary index of sourcenumbers (count) and distinct destinations called (dc(destinationnumber)) When i run this: ... | stats count dc(destinationnumber)... See more...
Splunk Enterprise 9.0.6 and building a summary index of sourcenumbers (count) and distinct destinations called (dc(destinationnumber)) When i run this: ... | stats count dc(destinationnumber) by sourcenumber I get something like sourcenumber,count,dc(destinationnumber) +15551234567,10,8 indicating it called 10 times to 8 different numbers. adsf perfect. But with this: ... | sistats count dc(destinationnumber) by sourcenumber   i get: psrsvd_ct_destinationnumber,psrsvd_gc,psrsvd_v, psrsvd_vm_destinationnumber 10,10,1,+19991234567;2,+18881234567;2,+17771234567;1,+15551234567;1 (etc) Found no clear help in the sistats page and other posts like this one it seems to work (though older posts and not using count) Best guess is that vm column 'preserves' the details, but idk why dc() isn't working like I expect.
source_address=$token.source.address$  It could be that the events that are being returned are where the $token.source.address$ value exists elsewhere in the event.
You could lookup the host and dest_port to retrieve another value from the lookup store e.g. last time accessed (if you have saved that as well), then if no data is retrieved, the host and dest_port ... See more...
You could lookup the host and dest_port to retrieve another value from the lookup store e.g. last time accessed (if you have saved that as well), then if no data is retrieved, the host and dest_port is unknown
Hi Antonio, to avoid this error (assuming this is a non-production environment) you can set splunkPlatform.insecureSkipVerify to "true" in the values.yaml file you use to deploy the collector:  http... See more...
Hi Antonio, to avoid this error (assuming this is a non-production environment) you can set splunkPlatform.insecureSkipVerify to "true" in the values.yaml file you use to deploy the collector:  https://github.com/signalfx/splunk-otel-collector-chart/blob/320b40a492bc479b12beb4aad20a85e1a9fd12c1/helm-charts/splunk-otel-collector/values.yaml#L62
This shouldn't be rocket surgery. But I expect that, since Splunk was acquired by Cisco, this will never be resolved directly. Thanks to grangerx for doing God's Splunk's work.
I was able to solve this halfway through writing this.  For future reference, you cant have the $SPlunk_HOME referenced in the $SPLUNK_DB. At least for me, the server hadnt restarted and updated the... See more...
I was able to solve this halfway through writing this.  For future reference, you cant have the $SPlunk_HOME referenced in the $SPLUNK_DB. At least for me, the server hadnt restarted and updated the value, so it didnt recognize it.   I had to set the path manually,  $SPLUNK_DB=/export/opt/splunk/data Don't forget to leave the trailing / out.  The you can have your indexes.conf look like: homePath = $SPLUNK_DB/hot/$_index_name/db coldPath = $SPLUNK_DB/cold/$_index_name/colddb  
Hey, I am setting up a Splunk Dev env. I have one indexer, one SH, and one forwarder. I have uninstalled and reinstalled the Dev Indexer. I am trying to set it up to use two different filesystems as ... See more...
Hey, I am setting up a Splunk Dev env. I have one indexer, one SH, and one forwarder. I have uninstalled and reinstalled the Dev Indexer. I am trying to set it up to use two different filesystems as cold/hot data.  The error im receiving when i restart Splunk is     Problem parsing indexes.conf: Cannot load IndexConfig: Cannot create index '_audit': path of homePath must be absolute ('$SPLUNK_HOME/data/audit/db') Validating databases (splunkd validatedb) failed with code '1'. If you cannot resolve the issue(s) above after consulting documentation, please file a case online at http://www.splunk.com/page/submit_issue       Im not sure how to set this up correctly. I reinstalled the indexer so i could fix the mounts and storage.  For the /export/opt/splunk/etc/system.local/indexes.conf, i have something like:     [default] homePath = $SPLUNK_DB/hot/$_index_name/db coldPath = $SPLUNK_DB/cold/$_index_name/colddb       For my Splunk_DB, I have tried to set it in the Splunk-Launch.conf, as shown below:     # Version 9.2.0.1 # Modify the following line to suit the location of your Splunk install. # If unset, Splunk will use the parent of the directory containing the splunk # CLI executable. # SPLUNK_HOME=/export/opt/splunk/ # By default, Splunk stores its indexes under SPLUNK_HOME in the # var/lib/splunk subdirectory. This can be overridden # here: # SPLUNK_DB=$SPLUNK_HOME/data/ # Splunkd daemon name SPLUNK_SERVER_NAME=Splunkd # If SPLUNK_OS_USER is set, then Splunk service will only start # if the 'splunk [re]start [splunkd]' command is invoked by a user who # is, or can effectively become via setuid(2), $SPLUNK_OS_USER. # (This setting can be specified as username or as UID.) # # SPLUNK_OS_USER PYTHONHTTPSVERIFY=0 PYTHONUTF8=1 ENABLE_CPUSHARES=true    
If you look under lookups,  it should show that those are all set and defined. So double check lookup up tables files / Lookup definitions / Automatic Lookups and check sysmon app context.  Also ch... See more...
If you look under lookups,  it should show that those are all set and defined. So double check lookup up tables files / Lookup definitions / Automatic Lookups and check sysmon app context.  Also check if there's another lookup with that name, sometimes I have seen another same name  #this should point to most of the sysmon TA code (transforms) or show another. /opt/splunk/bin/splunk cmd btool transforms list eventcode --debug  
| inputlookup SSE-default-data-inventory-products.csv | outputlookup data_inventory_products_lookup Credit to https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Security-Essential-not-load... See more...
| inputlookup SSE-default-data-inventory-products.csv | outputlookup data_inventory_products_lookup Credit to https://community.splunk.com/t5/All-Apps-and-Add-ons/Splunk-Security-Essential-not-loading-correctly/m-p/467564
I am having the exact same issue.  
I'm trying to set the Description field of a ServiceNow Incident ticket through Splunk, and the string I'm passing contains a newline (\n).  But when Splunk creates/updates the ticket, either through... See more...
I'm trying to set the Description field of a ServiceNow Incident ticket through Splunk, and the string I'm passing contains a newline (\n).  But when Splunk creates/updates the ticket, either through the snowincident command or an action alert, it will automatically escape the backslash character.   So after Splunk passes the info to snow, the underlying json of the ticket looks like this: {"description":"this is a \\n new line"} and my Description field looks like this: this is a \n new line Is this something that Splunk is doing, or the ServiceNow Add-On?  Does anyone know of a way to get around this?
Thanks for your speedy response and for helping me out @gcusello . Unfortunately, the average does not seem to return for this, any idea why?  I'm essentially trying to get a Status Indicator Pane... See more...
Thanks for your speedy response and for helping me out @gcusello . Unfortunately, the average does not seem to return for this, any idea why?  I'm essentially trying to get a Status Indicator Panel for this stat, like shown below.  
Hi @jthomasc , at first, put all the search terms in the main search to have more performant searches. then you have to use the timechart command, something like this: index=abc granttype=mobile m... See more...
Hi @jthomasc , at first, put all the search terms in the main search to have more performant searches. then you have to use the timechart command, something like this: index=abc granttype=mobile message="*Token Success*" | timechart span=1d avt(count) AS avg Ciao. Giuseppe
Sorry for the confusion. I have two sets of time range. One is made from time selector, that is used for return results happened in the range I'm interested in. The other is hard-coded in the query... See more...
Sorry for the confusion. I have two sets of time range. One is made from time selector, that is used for return results happened in the range I'm interested in. The other is hard-coded in the query. I want to force Splunk to search index A's events at most in a range of past 6 months to 06/01/24 (during this time, logs went to index A only), and B at most in range 06/01/24 to now. I want Splunk to auto find an intersection of this hard-coded range and the range from time selector.
Current query,  this shows the how many successful login attempts there have been. index=abc granttype=mobile | fields subjectid, message | search message="*Token Success*" | stats count I am... See more...
Current query,  this shows the how many successful login attempts there have been. index=abc granttype=mobile | fields subjectid, message | search message="*Token Success*" | stats count I am now looking to create a panel to show the daily average amount of successful login attempts across 7 days. Is anyone able to help me with  query please?     
Thanks for your reply! It's a dashboard, and we may need to run a query to check something as well. I agree with what you said, checking empty buckets wouldn't take too much time. I was assuming th... See more...
Thanks for your reply! It's a dashboard, and we may need to run a query to check something as well. I agree with what you said, checking empty buckets wouldn't take too much time. I was assuming the previous bucket is still getting some logs, and by ignoring logs after the transition date could be faster save me from removing duplicates. while in my case, I believe it should be empty.
Hi @Silah  good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated