All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, Does the below log paths of windows logs can be ingested into Splunk and if this is available in any add-on's? Microsoft\Windows\Privacy-Auditing\Operational EventLog Thanks
Hi @vstan, ok, please try this: index="ABC" (sourcetype="SourceA" OR sourcetype="SourceB") | eval User=coalesce(user,User) | stats values(TOTAL_ATTACHMENT_SIZE_SEGMENT) AS Total_Bytes_Size ... See more...
Hi @vstan, ok, please try this: index="ABC" (sourcetype="SourceA" OR sourcetype="SourceB") | eval User=coalesce(user,User) | stats values(TOTAL_ATTACHMENT_SIZE_SEGMENT) AS Total_Bytes_Size values(EMAIL_ADDRESS) AS EMAIL_ADDRESS BY User | sort - Total_Bytes_Size the error was for the space after sum. Ciao. Giuseppe
Team, I got 3 logs, I need to fetch Transaction_id,Event and Total_Count from LOG1. After that I need to join the 3 logs to get Successfull and Failures. successfull transaction will have only LOG2... See more...
Team, I got 3 logs, I need to fetch Transaction_id,Event and Total_Count from LOG1. After that I need to join the 3 logs to get Successfull and Failures. successfull transaction will have only LOG2. Failure transactions will have both LOG2 and LOG3 Finally I need data in timechart (span=1h). _time Event Total_Count Successfull Error LOG1 = 024-05-29 12:35:49.288 [INFO ] [Transaction_id] : servicename : access : Event : process : Payload: LOG2 = 2024-05-29 12:11:09.226 [INFO ] [Transaction_id] : application_name : report : servicename (Async) : DB save for SubscribersSettingsAudit record completed in responseTime=2 ms LOG3 = 2024-05-24 11:25:36.307 [ERROR] [Transaction_id] : application_name : regular : servicename (Async) : Couldn't save the SubscribersSettings record in DB
Hi @gcusello    My data is already 'summed' ->  This is how it is stored.  TOTAL_ATTACHMENT_SIZE_SEGMENT 5-25MB   When I try to run the query you provided it gives me an error: Error in '... See more...
Hi @gcusello    My data is already 'summed' ->  This is how it is stored.  TOTAL_ATTACHMENT_SIZE_SEGMENT 5-25MB   When I try to run the query you provided it gives me an error: Error in 'stats' command: The argument '(TOTAL_ATTACHMENT_SIZE_SEGMENT)' is invalid.
Hi @pc591f, check if the add-ons I mentioned are installed and if the inputs that takes the information you need are enabled. If yes, you have only to create your searches. if not, you haven't the... See more...
Hi @pc591f, check if the add-ons I mentioned are installed and if the inputs that takes the information you need are enabled. If yes, you have only to create your searches. if not, you haven't the information for your Use Cases. Ciao. Giuseppe
Hi Gcusello Thanks for the information, Forwarders are installed on all servers currently, its just setting up the searches are my colleague is away for the week and i just trying to set up some bas... See more...
Hi Gcusello Thanks for the information, Forwarders are installed on all servers currently, its just setting up the searches are my colleague is away for the week and i just trying to set up some basic alerts, thanks for your advice 
Hi @vstan, are you sure that you don't need to sum the bytes? please try this: index="ABC" (sourcetype="SourceA" OR sourcetype="SourceB") | eval User=coalesce(user,User) | stats sum (TOTAL_A... See more...
Hi @vstan, are you sure that you don't need to sum the bytes? please try this: index="ABC" (sourcetype="SourceA" OR sourcetype="SourceB") | eval User=coalesce(user,User) | stats sum (TOTAL_ATTACHMENT_SIZE_SEGMENT) AS Total_Bytes_Size values(EMAIL_ADDRESS) AS EMAIL_ADDRESS BY User | sort - Total_Bytes_Size Ciao. Giuseppe  
Hi @gcusello  I can't seem to make it work. I'll try to explain more detailed.    I have two sources (sourcetypes basically).  Source A  User ID  Total bytes send   Source B  User ... See more...
Hi @gcusello  I can't seem to make it work. I'll try to explain more detailed.    I have two sources (sourcetypes basically).  Source A  User ID  Total bytes send   Source B  User ID User Email address    I want to calculate the total bytes send per User ID (For this I need Source A). Now Have I done this and the results generate an ID with the amount of Bytes send for each user.    The next step for me is to put the User Email Address next to the User ID.  This value is only known in Source B. So I need to correlate them together so that I can tell Splunk hey look up this UserID and give me User Email Address back in a table next to it.  I currently have the following:  index="ABC" source="SourceA" OR source="SourceB" | eval Total_Bytes_Size=TOTAL_ATTACHMENT_SIZE_SEGMENT | eval user=User | dedup User | where NOT Total_Bytes_Size="TOTAL_ATTACHMENT_SIZE_SEGMENT" | where NOT Total_Bytes_Size="0MB" | table User, Total_Bytes_Size | sort - Total_Bytes_Size This gives me a table with The UserID and the total Bytes size sent. Now I only need to add a row with the corresponding EMAIL_ADDRESS from source B.   Hope this clears it up a bit.     
Hi @jaracan , for storage, you can use https://splunk-sizing.soclib.net/ for the resources, I hint to follow the Splunk Architecting Training. This link could be useful https://lantern.splunk.com/... See more...
Hi @jaracan , for storage, you can use https://splunk-sizing.soclib.net/ for the resources, I hint to follow the Splunk Architecting Training. This link could be useful https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Sizing_your_Splunk_architecture  Ciao. Giuseppe
hi @pc591f , at first see in documentation how to get data in from forwarders (https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Usingforwardingagents) then install on Forwarders one of these... See more...
hi @pc591f , at first see in documentation how to get data in from forwarders (https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Usingforwardingagents) then install on Forwarders one of these apps: Splunk TA for Windows (https://splunkbase.splunk.com/app/742) or Splunk TA for nix (https://splunkbase.splunk.com/app/833), remembering to enable inputs that by default are disabled. Having those logs, youcan create your own searches. The most difficoult is to know what to search, but this isn't a Splunk knowledge. To understand how to create the search, you can follow the Splunk Search Tutorial  (https://docs.splunk.com/Documentation/SplunkCloud/8.1.0/SearchTutorial/WelcometotheSearchTutorial). Ciao. Giuseppe
Hi @vstan , you have to use stats command BY the correlation key, something like this: index=indexA OR index=indexB | stats values(field1) AS field1 values(field2) AS field2 values(... See more...
Hi @vstan , you have to use stats command BY the correlation key, something like this: index=indexA OR index=indexB | stats values(field1) AS field1 values(field2) AS field2 values(field3) AS field3 values(User_email) As User_email BY User_ID you can add all the fields you need in the stats command. Anyway, don't use join command! Ciao. Giuseppe
Hi,    I was wondering how to correlate data using different sources.    For example:    Source A contains:  User ID = 123   Source B contains User ID =123  User email = user@user   I wa... See more...
Hi,    I was wondering how to correlate data using different sources.    For example:    Source A contains:  User ID = 123   Source B contains User ID =123  User email = user@user   I want to find the user related to the UserID 123 (which comes up after my search). I want to do this by getting the User emal from Source B.  My search runs in Source A since there are some fields I need from there. 
I'm very new to this and found we do not have any alerts setup for basic things like Disk space on drives etc, I've done some basic courses but I don't know what to put after Host= to capture all dri... See more...
I'm very new to this and found we do not have any alerts setup for basic things like Disk space on drives etc, I've done some basic courses but I don't know what to put after Host= to capture all drives on both windows and Unix Application Crashes. System or Service Failures. Windows Update Errors. Windows Firewall. Clearing Event Logs. Software and Service Installation. Account Usage Kernel Driver Signing.
Hi @NC_AS , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @man03359, the design of a clustered Splunk architecture is a job for a Splunk Architect, if you haven't this knowledge or certification, I hint to be supported by a certified one. Anyway, the p... See more...
Hi @man03359, the design of a clustered Splunk architecture is a job for a Splunk Architect, if you haven't this knowledge or certification, I hint to be supported by a certified one. Anyway, the phases of your job are the following: requisites analysis (users, data volume, apps to use, scheduled searches, perimeter, types of data sources, etc...), design of the architecture, implementation. for the last item, you can see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Aboutclusters and https://docs.splunk.com/Documentation/Splunk/9.2.1/DistSearch/AboutSHC For the other two items, a Certified Splunk Architect is mandatory to well design the infrastructure and the architecture. Ciao. Giuseppe
Hey there - I'm new to Splunk Enterprise and have this crazy graphics mash-up when I hit browse in the Install App From File button - really annoying - has this happened to others & is there a quick ... See more...
Hey there - I'm new to Splunk Enterprise and have this crazy graphics mash-up when I hit browse in the Install App From File button - really annoying - has this happened to others & is there a quick fix? Cheers Andy  
Hi All, I'm currently facing the same issue. Any idea what was wrong with payload? When I upload DEV Azure AD tenant metadata SSO is working as expected. But it's not working for STAGE and PROD te... See more...
Hi All, I'm currently facing the same issue. Any idea what was wrong with payload? When I upload DEV Azure AD tenant metadata SSO is working as expected. But it's not working for STAGE and PROD tenant and showing below error: Verification of SAML assertion using the IDP's certificate provided failed. Error: failed to verify signature with cert
Hi! I have recently moved from out of a Splunk developer role to an admin role. I have to build a cluster environment out of scratch in the on-prem. I have the basic understanding of a clustered en... See more...
Hi! I have recently moved from out of a Splunk developer role to an admin role. I have to build a cluster environment out of scratch in the on-prem. I have the basic understanding of a clustered environment but haven't setup yet. Could you please guide me how can I start. Like what type of knowledge/ information gathering need to do with the client or customer before head. Also if there is any procedure/ order of components to follow. It will be really helpful for me.   Thanks in advance 
You could try something like this | rest /servicesNS/-/-/alerts/fired_alerts
Thanks @ITWhisperer do you know how I could obtain this information?