All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @vstan, are you sure that you don't need to sum the bytes? please try this: index="ABC" (sourcetype="SourceA" OR sourcetype="SourceB") | eval User=coalesce(user,User) | stats sum (TOTAL_A... See more...
Hi @vstan, are you sure that you don't need to sum the bytes? please try this: index="ABC" (sourcetype="SourceA" OR sourcetype="SourceB") | eval User=coalesce(user,User) | stats sum (TOTAL_ATTACHMENT_SIZE_SEGMENT) AS Total_Bytes_Size values(EMAIL_ADDRESS) AS EMAIL_ADDRESS BY User | sort - Total_Bytes_Size Ciao. Giuseppe  
Hi @gcusello  I can't seem to make it work. I'll try to explain more detailed.    I have two sources (sourcetypes basically).  Source A  User ID  Total bytes send   Source B  User ... See more...
Hi @gcusello  I can't seem to make it work. I'll try to explain more detailed.    I have two sources (sourcetypes basically).  Source A  User ID  Total bytes send   Source B  User ID User Email address    I want to calculate the total bytes send per User ID (For this I need Source A). Now Have I done this and the results generate an ID with the amount of Bytes send for each user.    The next step for me is to put the User Email Address next to the User ID.  This value is only known in Source B. So I need to correlate them together so that I can tell Splunk hey look up this UserID and give me User Email Address back in a table next to it.  I currently have the following:  index="ABC" source="SourceA" OR source="SourceB" | eval Total_Bytes_Size=TOTAL_ATTACHMENT_SIZE_SEGMENT | eval user=User | dedup User | where NOT Total_Bytes_Size="TOTAL_ATTACHMENT_SIZE_SEGMENT" | where NOT Total_Bytes_Size="0MB" | table User, Total_Bytes_Size | sort - Total_Bytes_Size This gives me a table with The UserID and the total Bytes size sent. Now I only need to add a row with the corresponding EMAIL_ADDRESS from source B.   Hope this clears it up a bit.     
Hi @jaracan , for storage, you can use https://splunk-sizing.soclib.net/ for the resources, I hint to follow the Splunk Architecting Training. This link could be useful https://lantern.splunk.com/... See more...
Hi @jaracan , for storage, you can use https://splunk-sizing.soclib.net/ for the resources, I hint to follow the Splunk Architecting Training. This link could be useful https://lantern.splunk.com/Splunk_Platform/Product_Tips/Administration/Sizing_your_Splunk_architecture  Ciao. Giuseppe
hi @pc591f , at first see in documentation how to get data in from forwarders (https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Usingforwardingagents) then install on Forwarders one of these... See more...
hi @pc591f , at first see in documentation how to get data in from forwarders (https://docs.splunk.com/Documentation/Splunk/9.2.1/Data/Usingforwardingagents) then install on Forwarders one of these apps: Splunk TA for Windows (https://splunkbase.splunk.com/app/742) or Splunk TA for nix (https://splunkbase.splunk.com/app/833), remembering to enable inputs that by default are disabled. Having those logs, youcan create your own searches. The most difficoult is to know what to search, but this isn't a Splunk knowledge. To understand how to create the search, you can follow the Splunk Search Tutorial  (https://docs.splunk.com/Documentation/SplunkCloud/8.1.0/SearchTutorial/WelcometotheSearchTutorial). Ciao. Giuseppe
Hi @vstan , you have to use stats command BY the correlation key, something like this: index=indexA OR index=indexB | stats values(field1) AS field1 values(field2) AS field2 values(... See more...
Hi @vstan , you have to use stats command BY the correlation key, something like this: index=indexA OR index=indexB | stats values(field1) AS field1 values(field2) AS field2 values(field3) AS field3 values(User_email) As User_email BY User_ID you can add all the fields you need in the stats command. Anyway, don't use join command! Ciao. Giuseppe
Hi,    I was wondering how to correlate data using different sources.    For example:    Source A contains:  User ID = 123   Source B contains User ID =123  User email = user@user   I wa... See more...
Hi,    I was wondering how to correlate data using different sources.    For example:    Source A contains:  User ID = 123   Source B contains User ID =123  User email = user@user   I want to find the user related to the UserID 123 (which comes up after my search). I want to do this by getting the User emal from Source B.  My search runs in Source A since there are some fields I need from there. 
I'm very new to this and found we do not have any alerts setup for basic things like Disk space on drives etc, I've done some basic courses but I don't know what to put after Host= to capture all dri... See more...
I'm very new to this and found we do not have any alerts setup for basic things like Disk space on drives etc, I've done some basic courses but I don't know what to put after Host= to capture all drives on both windows and Unix Application Crashes. System or Service Failures. Windows Update Errors. Windows Firewall. Clearing Event Logs. Software and Service Installation. Account Usage Kernel Driver Signing.
Hi @NC_AS , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @man03359, the design of a clustered Splunk architecture is a job for a Splunk Architect, if you haven't this knowledge or certification, I hint to be supported by a certified one. Anyway, the p... See more...
Hi @man03359, the design of a clustered Splunk architecture is a job for a Splunk Architect, if you haven't this knowledge or certification, I hint to be supported by a certified one. Anyway, the phases of your job are the following: requisites analysis (users, data volume, apps to use, scheduled searches, perimeter, types of data sources, etc...), design of the architecture, implementation. for the last item, you can see at https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Aboutclusters and https://docs.splunk.com/Documentation/Splunk/9.2.1/DistSearch/AboutSHC For the other two items, a Certified Splunk Architect is mandatory to well design the infrastructure and the architecture. Ciao. Giuseppe
Hey there - I'm new to Splunk Enterprise and have this crazy graphics mash-up when I hit browse in the Install App From File button - really annoying - has this happened to others & is there a quick ... See more...
Hey there - I'm new to Splunk Enterprise and have this crazy graphics mash-up when I hit browse in the Install App From File button - really annoying - has this happened to others & is there a quick fix? Cheers Andy  
Hi All, I'm currently facing the same issue. Any idea what was wrong with payload? When I upload DEV Azure AD tenant metadata SSO is working as expected. But it's not working for STAGE and PROD te... See more...
Hi All, I'm currently facing the same issue. Any idea what was wrong with payload? When I upload DEV Azure AD tenant metadata SSO is working as expected. But it's not working for STAGE and PROD tenant and showing below error: Verification of SAML assertion using the IDP's certificate provided failed. Error: failed to verify signature with cert
Hi! I have recently moved from out of a Splunk developer role to an admin role. I have to build a cluster environment out of scratch in the on-prem. I have the basic understanding of a clustered en... See more...
Hi! I have recently moved from out of a Splunk developer role to an admin role. I have to build a cluster environment out of scratch in the on-prem. I have the basic understanding of a clustered environment but haven't setup yet. Could you please guide me how can I start. Like what type of knowledge/ information gathering need to do with the client or customer before head. Also if there is any procedure/ order of components to follow. It will be really helpful for me.   Thanks in advance 
You could try something like this | rest /servicesNS/-/-/alerts/fired_alerts
Thanks @ITWhisperer do you know how I could obtain this information?     
Yes, but by developing the add-on from the scratch
@Sudhir.Bobade, got back to me saying that uninstalled and reinstalled and it worked that time around. 
I've managed to toy with the .csv to the point where it lets my apps pass. Let's take, for example, Splunk Security Essentials. Record in the .csv reads: Splunk_Security_Essentials,Splunk Securi... See more...
I've managed to toy with the .csv to the point where it lets my apps pass. Let's take, for example, Splunk Security Essentials. Record in the .csv reads: Splunk_Security_Essentials,Splunk Security Essentials,https://splunkbase.splunk.com/app/3435/,3.6.0#8.2|9.0|9.1|;.......... The latest version is 3.8.0. I neded to add the current version of the app, and assign my Splunk version to it: Splunk_Security_Essentials,Splunk Security Essentials,https://splunkbase.splunk.com/app/3435/,3.8.0#9.1|;3.6.0#8.2|9.0|9.1| Making this change to the .csv under /opt/splunk/etc/apps/python_upgrade_readiness_app/local/splunkbaseapps.csv did not help. However, the upgrade readiness app no longer fails Splunk Security Essentials after moving the edited .csv to these locations: /opt/splunk/etc/apps/python_upgrade_readiness_app/bin/libs_py2/pura_libs_utils/splunkbaseapps.csv /opt/splunk/etc/apps/python_upgrade_readiness_app/bin/libs_py3/pura_libs_utils/splunkbaseapps.csv After rewriting the .csv files, it is of course needed to restart Splunk and Run New Scan in the Upgrade Readiness App. I will be accepting your original answer, as it is very straightforward ; and the way to go for most people who will encounter this issue. Thank you Tejas, and happy Splunking!
HI, were you able to solve this issue?
Hi @Sudhir.Bobade, I found this AppD Documentation that could be helpful:  https://docs.appdynamics.com/appd/4.5.x/en/appdynamics-application-performance-monitoring-platform/planning-your-deplo... See more...
Hi @Sudhir.Bobade, I found this AppD Documentation that could be helpful:  https://docs.appdynamics.com/appd/4.5.x/en/appdynamics-application-performance-monitoring-platform/planning-your-deployment/physical-machine-controller-deployment-guide/prepare-the-controller-host/prepare-windows-for-the-controller https://docs.appdynamics.com/appd/4.5.x/en/appdynamics-application-performance-monitoring-platform/controller-deployment/controller-system-requirements I was not able to find any other additional information that didn't require a bunch of log files to be requested.  You can always try contacting AppD Support for this issue too.  How do I submit a Support ticket? An FAQ 
Hello @SATYENDRA.DAS, Can you please send me a screenshot of what you are seeing? Be sure to either blur out or do not include the URL of your Controller when capturing the screen shot.