All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, I m not able to download agents (App agent, Machine agent, database agent) from https://accounts.appdynamics.com/downloads No listing shows down after selecting the options from dropdown. Than... See more...
Hi, I m not able to download agents (App agent, Machine agent, database agent) from https://accounts.appdynamics.com/downloads No listing shows down after selecting the options from dropdown. Thank You
If you click - go into to the saved search, there is a setting called 'Job Settings',  in there is another setting called 'lifetime', this has a setting of 10 minutes or 7 days, perhaps this will hel... See more...
If you click - go into to the saved search, there is a setting called 'Job Settings',  in there is another setting called 'lifetime', this has a setting of 10 minutes or 7 days, perhaps this will help you.  
I have a scheduled job that runs every month, storing monthly report and sending an email with the search results. This setup works well, but I've encountered a problem: the search results expire ... See more...
I have a scheduled job that runs every month, storing monthly report and sending an email with the search results. This setup works well, but I've encountered a problem: the search results expire after 24 hours. it will show me the search has probably expired or deleted. How can i set to 7 days  to prevent expired?
Hi @rreatiga, in the header of the props.conf stanza, you cannot use "index::current_index" but only sourcetype or source or host fields. for source and host, you can also use jolly char, something... See more...
Hi @rreatiga, in the header of the props.conf stanza, you cannot use "index::current_index" but only sourcetype or source or host fields. for source and host, you can also use jolly char, something like this: props.conf [source::*dev-ksm*] TRANSFORMS-routing=filter-to-new_index [source::*int-ksm*] TRANSFORMS-routing=filter-to-new_index [source::*qa-ksm*] TRANSFORMS-routing=filter-to-new_index [source::*amq-*-ksm*] TRANSFORMS-routing=filter-to-new_index transorms.conf [filter-to-new_index] DEST_KEY = _MetaData:Index REGEX = . FORMAT = new_index Ciao. Giuseppe
Hi @LearningGuy , yes it's possible. You have to run a search to extract the data from the old summary and save the new one in the new summary, or also in the same one. there's a thing that I don'... See more...
Hi @LearningGuy , yes it's possible. You have to run a search to extract the data from the old summary and save the new one in the new summary, or also in the same one. there's a thing that I don't understand: how do you take the values for the additional field? if it's from a lookup, you can do something like this: index=summary report="test_1" | lookup your_lookup.csv Customer OUTPUT Phone | eval report="test_2" | table _time Order Customer Phone | collect index=summary but if you have these information in a lookup, way do you need to save it in the index? you cau use it every time using the lookup command, the only reason could be that your Phone number could change. Ciao. Giuseppe
Hi @LearningGuy, you have to create a role for your team, and enable writing permission on the dashboard only for this team. There isn't an exclusion permission, you have to define who can access a... See more...
Hi @LearningGuy, you have to create a role for your team, and enable writing permission on the dashboard only for this team. There isn't an exclusion permission, you have to define who can access and who can modify an object. You should do the same thing for all the knowledge objects in your dashboard (fields, eventtypes, etc...). For this reson it's always a good idea to design roles and permissions before the app creation, to avoid to modify al the object at the end of the development process. Ciao. Giuseppe
Like @ITWhisperer said, this is not JSON.  AND a strange choice of data format.  How to extract what you need depends quite on string values of "field1" "field2", "value1", "value2", etc.  If none of... See more...
Like @ITWhisperer said, this is not JSON.  AND a strange choice of data format.  How to extract what you need depends quite on string values of "field1" "field2", "value1", "value2", etc.  If none of "fieldN", "valueN" contains hard breakers such as white space, you do something as simple as   | rex mode=sed field=params "s/: */=/g" | rename _raw as temp, params AS _raw | kv | rename temp AS _raw   (I assume that you already have the field params.) If the data is more complex than that, you will need to reconstruct data.  One way is to convert the structure into conformant JSON.  For example,   | rex mode=sed field=params "s/'/\"/g s/ *: */\":\"/g s/\[/{/ s/]/}/" | spath input=params   Here is a complete emulation   | makeresults | fields - _* | eval params = "['field1: value1', 'field2: value2', 'field3: value3']" | rex mode=sed field=params "s/'/\"/g s/ *: */\":\"/g s/\[/{/ s/]/}/" | spath input=params   field1 field2 field3 params value1 value2 value3 {"field1":"value1", "field2":"value2", "field3":"value3"}
Alternatively, you can do |inputlookup abc.csv |table name published |lookup def.csv name as name OUTPUT releaseyear | eval releaseyear = mvdedup(releaseyear)
If you already know the search ID, it shouldn't matter whether it is saved search or not. | rest /services/search/jobs/<search ID> | fields sid pid Here, pid is the process ID.  There are tons of o... See more...
If you already know the search ID, it shouldn't matter whether it is saved search or not. | rest /services/search/jobs/<search ID> | fields sid pid Here, pid is the process ID.  There are tons of other output from this call. If you only know the saved search's name, you can search by label | rest /services/search/jobs | where isSavedSearch == 1 AND label = "<your report name>" | fields label sid pid Hope this helps.
Hello, How to restrict write access to my dashboard from any users outside my team application? For example:  I am "User1" and I created "Test" dashboard in "App1".     App1 is my team applicat... See more...
Hello, How to restrict write access to my dashboard from any users outside my team application? For example:  I am "User1" and I created "Test" dashboard in "App1".     App1 is my team application. I want to restrict write access (but allow read access) to "Test" dashboard from any users outside "App1"  I want to allow ONLY my team within "App1" to have read and write access to "Test" dashboard. If I set the following setting (see below),  users from outside App1 can go inside the App1 and edit the dashboard. Please suggest.  Thank you!!  
Hello, I have summary index feeding data since 6 months ago. There is new "field" and I tried to add new field into "past" data and futures data in a summary index. Is it possible to add new field ... See more...
Hello, I have summary index feeding data since 6 months ago. There is new "field" and I tried to add new field into "past" data and futures data in a summary index. Is it possible to add new field into past data in a summary index? If it's not possible ,  How to move summary index to another summary index with updated fields? Thank you Below is an example  index=summary   report="test_1" _time Order Customer 05/01/2024 Pizza Customer1 05/01/2024 Hamburger Customer2 05/02/2024 Spaghetti Customer3 05/02/2024 Pizza Customer4 05/03/2024 Noodle Customer1 05/03/2024 Rice Customer2 index=summary   report="test_2" _time Order Customer Phone 05/01/2024 Pizza Customer1 1111 05/01/2024 Hamburger Customer2 2222 05/02/2024 Spaghetti Customer3 3333 05/02/2024 Pizza Customer4 4444 05/03/2024 Noodle Customer1 1111 05/03/2024 Rice Customer2 2222
You can also have multiple visualisations inside a single <panel> element, i.e. <panel> <html> </html> <single> </single> <single> </single> <chart> </chart> <table> </table> </p... See more...
You can also have multiple visualisations inside a single <panel> element, i.e. <panel> <html> </html> <single> </single> <single> </single> <chart> </chart> <table> </table> </panel> The way Splunk lays out such structure inside the panel is that <single> elements are aligned horizontally, but others will then alighn vertically. I often will avoid using a single panel viz, which offers limited customisation and instead use and HTML section with the contents coming from tokens calculated from searches. The top three 'rows' of your example panel, i.e. total, value, expected, above... could be a single HTML block where you can write the data from tokens and then a timechart can sit underneath. Depending on how good your html/css skills are you can do a huge amount to vary the style.
You're right that it should work. Thanks for the sanity check. I deleted the alert and started from scratch and it's working as expected now. I think I messed up the notification settings when I was... See more...
You're right that it should work. Thanks for the sanity check. I deleted the alert and started from scratch and it's working as expected now. I think I messed up the notification settings when I was originally tinkering with it. 
Hi, Is it possible using props.conf and transforms.conf to route some data on an index based on the source field? Let's say index1 contains a lot of sources, in some sources it contains certain wor... See more...
Hi, Is it possible using props.conf and transforms.conf to route some data on an index based on the source field? Let's say index1 contains a lot of sources, in some sources it contains certain words in the path for example (source="*dev-ksm*" OR source="*int-ksm*" OR source="*qa-ksm*" OR source="*amq-*-ksm*") For this scenario I'd like to route events that their source contains the above matching sources to an index2 Was thinking in something like this: props.conf [index::current_index] TRANSFORMS-routing=filter-to-new_index   transforms.conf [filter-to-new_index] DEST_KEY = _MetaData:Index SOURCE_KEY = MetaData:Source REGEX = (?i)(.*dev-ksm.*|.*int-ksm.*|.*qa-ksm.*|.*amq-.*-ksm.*) FORMAT = new_index   Does not seem to be currently working. Hence the question if its possible to do something like this.   Thanks in advance.    
Hi @whitecat001, Assuming your Active Directory logs are being indexed under "index=windows" and you are forwarding the logon events EventCode=4624 (successful logons), you can use the following que... See more...
Hi @whitecat001, Assuming your Active Directory logs are being indexed under "index=windows" and you are forwarding the logon events EventCode=4624 (successful logons), you can use the following query:   index=windows* source="WinEventLog:Security" sourcetype=xmlwineventlog host=* user!="*$" EventCode=4624 dest_nt_domain=<your domain name> Logon_Type=5 | stats max(_time) as last_login by index, host, dest, dest_nt_domain, user, src_ip, Logon_Type | eval last_login=strftime(last_login, "%Y-%m-%d %H:%M:%S")   The EventCode=4624  filters the logs to only include successful logon events. You can use the field "Logon_Type", which points out how the user logged on. There are a total of nine different types of logons, the most common logon types are: logon type 2 (interactive) and logon type 3 (network). Any logon type other than 5 (which denotes a service startup) is a red flag. Logon Type Logon Title Description 0 System Used only by the System account, for example at system startup. 2 Interactive A user logged on to this computer. 3 Network A user or computer logged on to this computer from the network. 4 Batch Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. 5 Service A service was started by the Service Control Manager. 7 Unlock This workstation was unlocked. 8 NetworkCleartext A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). 9 NewCredentials A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. 10 RemoteInteractive A user logged on to this computer remotely using Terminal Services or Remote Desktop. 11 CachedInteractive A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. 12 CachedRemoteInteractive Same as RemoteInteractive. This is used for internal auditing. 13 CachedUnlock Workstation logon.   best regards, P.S.: Karma Points are always appreciated
Hey everyone,   We have a Splunk SOAR client who has a Microsoft tenant with several domains. They asked if we can scope the "Windows Defender ATP" app in Splunk SOAR to be limited to the 2 domains... See more...
Hey everyone,   We have a Splunk SOAR client who has a Microsoft tenant with several domains. They asked if we can scope the "Windows Defender ATP" app in Splunk SOAR to be limited to the 2 domains their team is responsible for. Is this something that can be done from the app configuration itself in SOAR? Or would this be something done in the Microsoft tenant? Or are there any other options?
can i pls get another search that can show last logon date for active directory service account
Has anyone be able to get adaudit plus to integrate with Splunk Enterprise?  I followed these instructions but have not gotten any data to show on the indexer. SIEM integration | Admin settings | AD... See more...
Has anyone be able to get adaudit plus to integrate with Splunk Enterprise?  I followed these instructions but have not gotten any data to show on the indexer. SIEM integration | Admin settings | ADAudit Plus (manageengine.com) Also contacted ManageEngine support which has not be able to figure out the issue.  I searched the forum and found this old thread but no one had a response. How to get audit plus manager logs into splunk ent... - Splunk Community Any help is appreciated, thanks.
its not working
I am trying to figure out where Splunk is getting it's data to populate the "Host Name" column in the Splunk GUI for the Forwarder Management section, when selecting the Clients tab. I would like th... See more...
I am trying to figure out where Splunk is getting it's data to populate the "Host Name" column in the Splunk GUI for the Forwarder Management section, when selecting the Clients tab. I would like the host name to be FQDN  (server1.x.xx)instead of it's current version (server1). It doesn't seem to pull from any Splunk .conf files that I can see located on any Windows UF. For reference, this only applies to Windows servers running Splunk UF agent. I have already modified the inputs.conf (host = $decideOnStartup) and server.conf (hostnameOption = fullyqualifiedname) to no avail. Any help will be greatly appreciated.