All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

i am a newbie please help me to correct my code . tried to correct that with chatgpt. it said the code is ok  
Does anybidy konw when I clicked valueo in table cell How I render input btn?
I have one more question. Can I use one Heavy Forwarder for all apps with script inputs, or would it be better to deploy a separate instance for every app? Thanks for your help!
Hello @rrovers, You can update the truncate limit on the first Splunk Enterprise instance that the data encounters. If your data flow is UF -> IUF -> Indexers or UF -> Indexers, in that case you nee... See more...
Hello @rrovers, You can update the truncate limit on the first Splunk Enterprise instance that the data encounters. If your data flow is UF -> IUF -> Indexers or UF -> Indexers, in that case you need to place the following sourcetype on the indexers. And if your data flow is UF -> IHF -> Indexers, in that case you'll need to place the sourcetype configuration on the IHF. Here, IUF and IHF refer to Intermediate Universal Forwarder and Intermediate Heavy Forwarder respectively. [<<sourcetype>>] TRUNCATE = <<max_length_of_event>> Also, you can set TRUNCATE to any value you wish.  --- Thanks, Tejas.
The search you have posted is not valid - please share the actual search with minimal anonymisation. Please share in a code block </> to preserve spacing etc.
Your subject is very broad - how would anyone know what this was specifically about especially given that it is already in a Dashboards & Visualizations section! Having said that, you then restrict ... See more...
Your subject is very broad - how would anyone know what this was specifically about especially given that it is already in a Dashboards & Visualizations section! Having said that, you then restrict your required solution to not include HTML - as @gcusello says, with these restrictions, it isn't possible (with current standard visualization options). However, if you would be prepared to expand your outlook you could do something along these lines:   <row> <panel depends="$stayhidden$"> <html> <style> div[id="states"] tr[data-view$="ResultsTableRow"] td:nth-child(2) { display: flex !important; } div[id="states"] tr[data-view$="ResultsTableRow"] td:nth-child(2) .multivalue-subcell { border: 2px solid black !important; padding-left: 4px; padding-right: 4px; margin-left: 4px; margin-right: 4px; border-radius: 8px !important; } </style> </html> </panel> <panel> <table id="states"> <title>States</title> <search> <query>| makeresults count=10 | eval event=random() % 3 | eval state=mvindex(split("ACTIVE,SLEEP,DEAD",","),random() % 3) | stats values(state) as state by event</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> </row>   Note that this doesn't work if there is only one value in the multivalue field (however, with a bit of extra work, this can be gotten around by inserting an additional value to the field and then hiding this value.
Thank you. I solved it.
i have installed DVWA over a xampp . done some cross site scripting now i want to detect that malicious activity in my splunk enterprise iput the following command  index="dvwa_logs" host="DESKTOP-... See more...
i have installed DVWA over a xampp . done some cross site scripting now i want to detect that malicious activity in my splunk enterprise iput the following command  index="dvwa_logs" host="DESKTOP-OKV6K44" sourcetype="access_combined" ("' or 1=1; --" OR "admin' OR '1'='1") | stats count by source_ip, uri, _time but not getting ant result  
Test post. Wasn't able to post? Edit: Okay, it works. Yes that is an caveat to bring up. Fortunately, you can use a foreach with an iterator to make each value in the multivalue unique. I'm thin... See more...
Test post. Wasn't able to post? Edit: Okay, it works. Yes that is an caveat to bring up. Fortunately, you can use a foreach with an iterator to make each value in the multivalue unique. I'm thinking it is something like the following. I'm sure its not impossible to add a custom unique identifier to each value in mv field nonetheless.   | eval iterator=0 | foreach <multivalue_field> [eval iterator=iterator+1, <<ITEM>>=iterator."-".<<ITEM>>] ``` Warning: Did not test this yet ```   Then you can perform the reverse stats join, and use split() and mvindex() to parse out your actual values without needing regex! You are correct, I was indeed working with a multivalue of unique identifiers which is why it worked for me.
What is your question? (Subject "splunk" doesn't help narrow it down given that this is a community of Splunk users answering questions about Splunk-related issues!) Please provide a description of ... See more...
What is your question? (Subject "splunk" doesn't help narrow it down given that this is a community of Splunk users answering questions about Splunk-related issues!) Please provide a description of what you are trying to achieve, some anonymised representative sample events, your current results from searches you have tried, and what your expected results would look like (with a description of the logic relating the sample events to the expected output, if appropriate).
Calculate the overall average before the timechart and preserve the value with values aggregate function index=qualys sourcetype=qualys:hostDetection SEVERITY=5 STATUS="FIXED" | dedup HOST_ID, QID |... See more...
Calculate the overall average before the timechart and preserve the value with values aggregate function index=qualys sourcetype=qualys:hostDetection SEVERITY=5 STATUS="FIXED" | dedup HOST_ID, QID | eval MTTR = ceiling(((strptime(LAST_FIXED_DATETIME, "%FT%H:%M:%SZ") - strptime(FIRST_FOUND_DATETIME, "%FT%H:%M:%SZ")) / 86400)) ```| bucket span=1d _time``` | eventstats avg(MTTR) as OVERALL_AVG | timechart span=1d avg(MTTR) as AVG_MTTR_PER_DAY values(OVERALL_AVG) as OVERALL_AVG | streamstats window=7 avg(AVG_MTTR_PER_DAY) as 7_DAY_AVG
This solution only works if all the values in the multivalue field are unique across all instances of the field. For example: | makeresults count=10 | eval mv=mvrange(0,(random()%5)+1) | streamstats... See more...
This solution only works if all the values in the multivalue field are unique across all instances of the field. For example: | makeresults count=10 | eval mv=mvrange(0,(random()%5)+1) | streamstats count as row | stats values(*) as * by mv This produces only 5 events instead of between 10 and 50 events which mvexpand  of mv would have done
hello i have installed DVWA in my xamp server . practiced some Sql attack on DVWA . after that i typed  the following in Splunk search bar   but its showing any result .  index=dvwa_logs (error OR "... See more...
hello i have installed DVWA in my xamp server . practiced some Sql attack on DVWA . after that i typed  the following in Splunk search bar   but its showing any result .  index=dvwa_logs (error OR "SQL Injection" OR "SQL Error" OR "SQL syntax") OR (sourcetype=access_combined status=200 AND (search_field="*' OR 1=1 --" OR search_field="admin' OR '1'='1")) | stats count by source_ip, search_field, host
Events longer than 15.000 characters are truncated now.  We wonder if there is a limit for this (so for example in the configuration the maximum event length can't be set to a number higher than 50... See more...
Events longer than 15.000 characters are truncated now.  We wonder if there is a limit for this (so for example in the configuration the maximum event length can't be set to a number higher than 50.000). Where and how can we change this limit for a certain index.
Hi @Somesh , this seems to be a different question and I hint to open a new question to be more sure to have more and probably better answers. Anyway, Splunk best practices hint to run Splunk as no... See more...
Hi @Somesh , this seems to be a different question and I hint to open a new question to be more sure to have more and probably better answers. Anyway, Splunk best practices hint to run Splunk as not root user, for security reasons, but this gives some additional difficoultes in log reading,  For more additional information see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Installation/RunSplunkasadifferentornon-rootuser Ciao. Giuseppe P.S.: Karma Points are appreciated
Hi @bworrellZP, you could use (only in lab) the syslog network input that doesn't write on disk. Otherwise, use rsyslog, writing syslog on disk and then read these logs using the batch command, ins... See more...
Hi @bworrellZP, you could use (only in lab) the syslog network input that doesn't write on disk. Otherwise, use rsyslog, writing syslog on disk and then read these logs using the batch command, instead monitor, in the inputs.conf. For more infos see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Inputsconf  In this way logs are deleted soon after ingestion. Ciao. Giuseppe
Hi @VijaySrrie , they should work also using three different calculated fields, anyway, you could nest the conditions from the other calculated fields, even if the final caculated fied will be longe... See more...
Hi @VijaySrrie , they should work also using three different calculated fields, anyway, you could nest the conditions from the other calculated fields, even if the final caculated fied will be longer: | eval action= case(error="invalid credentials", "failure", ((like('request.path',"auth/ldap/login/%") OR like('request.path',"auth/ldapco/login/%")) AND (NOT error="invalid credentials")) OR (like('request.path',"auth/token/lookup-self") AND ('auth.display_name'="root")) ,"success") | eval app=case(action="success" OR action="failure", "appname_Authentication") | eval valid=if(error="invalid credentials","Error","Success") Ciao. Giuseppe
Hi @cshihua , you have to use a normal subsearch: [ | datamodel Tutorial Client_errors index | fields index] | ... Ciao. Giuseppe
Hi @silverKi , in my knowledge, it isn't possible! Ciao. Giuseppe
On your Splunk Search Head, you can find some examples for this.  Example Link - change your server name to  https://MY_SPLUNK_SERVER/en-GB/app/splunk-dashboard-studio/example-hub-security-summary-... See more...
On your Splunk Search Head, you can find some examples for this.  Example Link - change your server name to  https://MY_SPLUNK_SERVER/en-GB/app/splunk-dashboard-studio/example-hub-security-summary-dashboard Or you can go to search > dashboards>visit examples hub - there are plenty of examples there for you to check and see the json code.