All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am trying to delete users that just use Splunk authentication. I have the admin role. I have tried both the web GUI and the CLI to delete users, but they are still visible after deletion. But somet... See more...
I am trying to delete users that just use Splunk authentication. I have the admin role. I have tried both the web GUI and the CLI to delete users, but they are still visible after deletion. But something seems to have happened, because, even though the users are still showing up using the list command in the CLI, when I try to delete the user using the remove command, it says the user does not exist. Is there a config file I need to edit to get the users to stop appearing? This is also a clustered Splunk Enterprise environment, does this mean there are further steps I have to take to delete a user? Thanks
@ITWhisperer we have splunk add-on windows deployed on all machines.
What data do you have ingested into Splunk?
Hi, can someone help me with splunk search to identify browsers installed on a machine, im looking for a specific field where i can capture this data. thanks
 index = "*" "a39d0417-bc8e-41fd-ae1f-7ed5566caed6" "*uploadstat*" status=Processed
Hi @Splunk-Star, could you share more infos, e.g. som screenshot? Thank you. Ciao. Giuseppe
Show source is not loading for only one event, getting "Failed to find target event in final sorted event list. Cannot properly prune results" after loading
Hello, and Thanks for tip. I will look into getting TLS set and/or a new cert - the cert will need to be self-signed.  Splunk was re-started after each upgrade. I am not familiar with the acronym of ... See more...
Hello, and Thanks for tip. I will look into getting TLS set and/or a new cert - the cert will need to be self-signed.  Splunk was re-started after each upgrade. I am not familiar with the acronym of "SHC" -Thanks for the info. ewholz
Thanks for the brief  explanation.
The monitor stanza should specify an index name so Splunk knows where to put the data.  Without that, everything goes in the 'main' index. Your (and everyone else's) search query should specify the ... See more...
The monitor stanza should specify an index name so Splunk knows where to put the data.  Without that, everything goes in the 'main' index. Your (and everyone else's) search query should specify the index name to search.  This makes the query more efficient and avoids reliance on your default index.  The index name in the query must match the index name in the monitor stanza for Splunk to find the data. The message about the tags.conf file is a symptom of a different problem and should be easy to correct.  Go to line 1 of the file specified in the message and URL-encode the value.
Hi @nisheethbaxi , if you're sure to have the backslashes in your logs, you could try this regex: | rex "account_id\\\":\\\"(?<account_id>[^\\]+)" that you can test at https://regex101.com/r/maaQB... See more...
Hi @nisheethbaxi , if you're sure to have the backslashes in your logs, you could try this regex: | rex "account_id\\\":\\\"(?<account_id>[^\\]+)" that you can test at https://regex101.com/r/maaQBE/1 or the following (there's an issue using a regex in Spunk when there's backslash) | rex "account_id\\\\\":\\\\\"(?<account_id>[^\\]+)" Ciao. Giuseppe
Hello, maybe I'm missing some points but it seems that the result is the same
I have a splunk query that has following text in message field -  "message":"sypher:[tokenized] build successful -\xxxxy {\"data\":{\"account_id\":\"ABC123XYZ\",\"activity\":{\"time\":\"2024-05-31T1... See more...
I have a splunk query that has following text in message field -  "message":"sypher:[tokenized] build successful -\xxxxy {\"data\":{\"account_id\":\"ABC123XYZ\",\"activity\":{\"time\":\"2024-05-31T12:37:25Z\}}" I need to extract value ABC123XYZ which is between account_id\":\" and \",\"activity. I tried the following query but it's not returning any data. index=prod_logs app_name="abc" | rex field=_raw "account_id\\\"\:\\\"(?<accid>[^\"]+)\\\"\,\\\"activity" | where isnotnull (accid) | table accid  
The above suggestions are great, but what worked on my end was simply scrolling to the end of the user agreement ( I think the Splunk creators want us to read through it). I did not have to change an... See more...
The above suggestions are great, but what worked on my end was simply scrolling to the end of the user agreement ( I think the Splunk creators want us to read through it). I did not have to change anything in any of the files listed in the first suggestion'  
If the word list under your tag cloud is displaying the words you expect to see then you might just need to use the format button to define your field label and value. Next to your visual type click ... See more...
If the word list under your tag cloud is displaying the words you expect to see then you might just need to use the format button to define your field label and value. Next to your visual type click Format. Then enter in your field name 'word' value type 'count and then the font sizes you want. I used 100 and 8.
Hi @LearningGuy, I understand that you're not an admin, but roles is the only way to restrict accesses in Splunk. So, ask to your administrators to creare different roles to enable your dashboards ... See more...
Hi @LearningGuy, I understand that you're not an admin, but roles is the only way to restrict accesses in Splunk. So, ask to your administrators to creare different roles to enable your dashboards and knowledhe objects ony to selected (by roles) users. Ciao. Giuseppe
Hi @gcusello , Just to clarify.   I am not an admin,  so it's not possible for me to create a role , correct? Thanks
Well obviously it is possible! The "issue" is that the total emails are counted by user, subject and action, whereas the other two counts are by just user and subject. You could change the eventstats... See more...
Well obviously it is possible! The "issue" is that the total emails are counted by user, subject and action, whereas the other two counts are by just user and subject. You could change the eventstats to correct this | eventstats sum(eval(if(action="quarantined", 1, 0))) as quarantined_count_peruser, sum(eval(if(action="delivered", 1, 0))) as delivered_count_peruser sum(total_emails) as total_emails by src_user, subject
Hello @ITWhisperer , the result should be the total emails count, and the specific count for the delivered and quarantined ones. In my screenshot, there are for example 6 total emails (first row), a... See more...
Hello @ITWhisperer , the result should be the total emails count, and the specific count for the delivered and quarantined ones. In my screenshot, there are for example 6 total emails (first row), and 12 delivered, which is not possible. So the a possible expectation should be: Case1: 6 total emails, 6 delivered, 0 quarantined Case2: 6 total emails, 3 delivered, 3 quarantined Case3: 6 total emails, 1 delivered, 5 quarantined
I installed Snort 3 JSON Alerts add-on. I made changes in inputs.conf (/opt/splunk/etc/apps/TA_Snort3_json/local) like this: [monitor:///var/log/snort/*alert_json.txt*] sourcetype = snort3:alert:js... See more...
I installed Snort 3 JSON Alerts add-on. I made changes in inputs.conf (/opt/splunk/etc/apps/TA_Snort3_json/local) like this: [monitor:///var/log/snort/*alert_json.txt*] sourcetype = snort3:alert:json When I search for events like below (sourcetype="snort3:alert:json") there is NOTHING But Splunk knows in that path there is something and in what number. Like below.   What I can tell more is what Splunk tells me when starting. Value in stanza [eventtype=snort3:alert:json] in /…/TA_Snort3_json/default/tags.conf, line 1 is not URL encoded: eventtype = snort3:alert:json Your indexes and inputs configurations are not internally consistenst. For more info, run ‘splunk btool check –debug’ Please, help..