All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

What transfer protocol splunk uses like FTP, sFTP.. That is what transfer method is used to transfer data via TCP when sending data from UF to Splunk core cluster (enterprise)
Hi @munang, Depending on your segmentation configuration, 127.0.0.1 will be indexed as: 0 1 127 127.0.0.1 or 0 1 127 127.0 127.0.0 127.0.0.1 You can verify this (relatively) easily with ... See more...
Hi @munang, Depending on your segmentation configuration, 127.0.0.1 will be indexed as: 0 1 127 127.0.0.1 or 0 1 127 127.0 127.0.0 127.0.0.1 You can verify this (relatively) easily with with an empty index and the walklex command. See https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Walklex. With segmenters.conf INTERMEDIATE_MAJORS = false (the default): | makeresults | eval _raw="127.0.0.1" | collect index=walklex_test $ /opt/splunk/bin/splunk _internal call /data/indexes/walklex_test/roll-hot-buckets | walklex type=term index=walklex_test | table term term 0 1 127 127.0.0.1 Using a source type and segmentation with INTERMEDIATE_MAJORS = true: term 0 1 127 127.0 127.0.0 127.0.0.1 Both 127.0.0.1 and "127.0.0.1" will use the following base lispy at the indexing tier: [ AND 0 1 127 ] You can judge the efficiency of your search using the method you observed in your second question. In the search job inspector, you'll see: "This search has completed and has returned X results by scanning Y events in Z seconds." If X != Y, your search is scanning more events than needed, and introducing TERM() or otherwise modifying your search may improve efficiency. TERM(127.0.0.1)  will use the following base lispy at the indexing tier, also as you observed: [ AND 127.0.0.1 ] With INTERMEDIATE_MAJORS = false, TERM(127.0) will return no results. With INTERMEDIATE_MAJORS = true, TERM(127.0) will return events with 127.0.0.1, 127.0.a$b. 127.0-foo, etc. If searches with and without TERM() return X results by scanning Y events and X == Y, then the same number of events contain the segmented terms as contain the complete term. In this case, there is no direct efficiency to be gained by using TERM(). If your observations contradict this, i.e. you have events that match 127.1.1.24 but do not match TERM(127.1.1.24), then the answer may have something to do inconsistent time ranges across searches, misconfigured search peers, or misconfigured indexer clustering.
What have you tried so far?
up !!
I need to create below dashboard .This will be the main dashboard and from here I can navigate to any of the other mentioned dashboards. AAA, BBB, CCC are the separate dashboards and all these should... See more...
I need to create below dashboard .This will be the main dashboard and from here I can navigate to any of the other mentioned dashboards. AAA, BBB, CCC are the separate dashboards and all these should be accessed form this main dashboard.       
Thanks!!  That do work for the first object! But I do have multiple objects in the array and the number of objects is not fixed, how can I refactor the solution to accommodate them?  Sorry I have do... See more...
Thanks!!  That do work for the first object! But I do have multiple objects in the array and the number of objects is not fixed, how can I refactor the solution to accommodate them?  Sorry I have done the research but totally have no idea how to do that.
Hello, I'm Splunk Newbie. This is a post that I found while looking for improvement of Splunk's search performance, but I'm asking you a question because it's a little confusing.   I referred to t... See more...
Hello, I'm Splunk Newbie. This is a post that I found while looking for improvement of Splunk's search performance, but I'm asking you a question because it's a little confusing.   I referred to the two posts below. https://splunk.illinois.edu/splunk-at-illinois/using-splunk/searching-splunk/how-to-optimize-your-searches/ https://idelta.co.uk/3-easy-ways-to-speed-up-your-splunk-searches-and-why-they-help/     Question 1) - index=firewall_data 127.0.0.1 Or - index=firewall_data "127.0.0.1" If I search that, because of the internal segmentation process 127 127 1 127 0 1 Is it right to search by dividing it into three approach? Because of this, If I use index=firewall_data TERM (127.1.1.24), is it correct that the breaker is not used and it shows better performance? Question 2) index=firewall_data "127.0.0.1" has more resources if the assumptions in question 1 are correct The index= firewall_data TERM (127.1.1.24) should perform better, but when tested, it actually did the same. It says that the data I searched for and the resource (time) are all the same, why?  
<form version="1.1" theme="light"> <label>Multi-select filtered</label> <fieldset submitButton="false"> <input type="multiselect" token="alloptions" searchWhenChanged="true"> <label>Sel... See more...
<form version="1.1" theme="light"> <label>Multi-select filtered</label> <fieldset submitButton="false"> <input type="multiselect" token="alloptions" searchWhenChanged="true"> <label>Select site</label> <choice value="All">All</choice> <search> <query> | makeresults format=csv data="Country USA Romania Turkey" | table Country </query> </search> <fieldForLabel>Country</fieldForLabel> <fieldForValue>Country</fieldForValue> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter>,</delimiter> <change> <eval token="form.alloptions">case(mvcount('form.alloptions')=0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")&gt;0,"All",mvcount('form.alloptions')&gt;1 AND mvfind('form.alloptions',"All")=0,mvfilter('form.alloptions'!="All"),1==1,'form.alloptions')</eval> <eval token="countrychoice">if($form.alloptions$=="All","","| where Country IN (".$alloptions$.")")</eval> </change> </input> <input type="multiselect" token="campus" searchWhenChanged="true"> <label>Select Campus</label> <search> <query> | makeresults format=csv data="Country,Campus USA,USA1 USA,USA2 Romania,Romania1 Romania,Romania2 Romania,Romania3 Turkey,Turkey1 Turkey,Turkey2 Turkey,Turkey3 Turkey,Turkey4" $countrychoice$ | table Campus </query> </search> <fieldForLabel>Campus</fieldForLabel> <fieldForValue>Campus</fieldForValue> <valuePrefix>"</valuePrefix> <valueSuffix>"</valueSuffix> <delimiter>,</delimiter> </input> </fieldset> </form>
I thought about that but didn't succeed to edit the dynamic options for the Campus value. I tried  | search $site.token$=$campus.token$* When $site.token$ is for Site value and $campus.token$* ... See more...
I thought about that but didn't succeed to edit the dynamic options for the Campus value. I tried  | search $site.token$=$campus.token$* When $site.token$ is for Site value and $campus.token$* is for Campus value.
For the campus dropdown, use a search which filters the campuses based on the token value from the countries dropdown
Hey all, I'm building new dashboard that contains 2 multiselect values: Site: USA, Romania, Turkey.... (only countries) Campus: USA1,USA2,Romania1,Romania2.... (contains the country's name and num... See more...
Hey all, I'm building new dashboard that contains 2 multiselect values: Site: USA, Romania, Turkey.... (only countries) Campus: USA1,USA2,Romania1,Romania2.... (contains the country's name and number). I want that when I select country/countires in Site multiselect value I will see only options to select the relevant campuses in Campus multiselect value. How can I create inherited rule that the Campus will inherit from Site value? Thanks.
anyone?
Hi Bhavya, What add-ons did you need on Splunk enterprise to receive logs from rsyslog client? Was rsyslog on an external system?  Thanks. Joanna.
Can I configure something like this?  [default] persistentQueueSize=100MB   so that it will applied for all the inputs?
i have facing this issue before 1 week after doing a rolling restart it's comes out i did a rolling restart just because to fix the data durability and this step didn't fix anything and a new issue c... See more...
i have facing this issue before 1 week after doing a rolling restart it's comes out i did a rolling restart just because to fix the data durability and this step didn't fix anything and a new issue comes out which is below in the photo        any solution of this matter please    thanks
Very strange, since also PickleRick says it's the normal behaviour of a DS not deleting custom addons
If an old admin account is deleted in a Splunk Enterprise distributed environment, any actions or related tasks associated with that account will be affected such as ( usecases, lookups, ...etc)
Hi @verbal_666 , As I said I had  a situation where apps installed on a Deployment Client (a UF) where removed because they weren't in the related ServerClass on the DS. Ciao. Giuseppe P.S.: Karm... See more...
Hi @verbal_666 , As I said I had  a situation where apps installed on a Deployment Client (a UF) where removed because they weren't in the related ServerClass on the DS. Ciao. Giuseppe P.S.: Karma Points are appreciated by all the contributors
For anyone reading along, this is an interesting exercise, but please do not store or log passwords in plain text. It's probably not even a good idea to log whether a particular user's password meets... See more...
For anyone reading along, this is an interesting exercise, but please do not store or log passwords in plain text. It's probably not even a good idea to log whether a particular user's password meets complexity requirements; that should be handled while the user is creating a password.
Hi @lynn140428, We should note the example isn't strictly JSON: "alert_data": {"domain": "abc.com", "csv": {"id": 12345, "name": "credentials.csv", "mimetype": "text/csv", "is_safe": true, "content... See more...
Hi @lynn140428, We should note the example isn't strictly JSON: "alert_data": {"domain": "abc.com", "csv": {"id": 12345, "name": "credentials.csv", "mimetype": "text/csv", "is_safe": true, "content": [{"username": "test@abc.com", "password":"1qaz@WSX#EDC"} The string should start with a left brace ({), and the objects and array should be properly closed: {"alert_data": {"domain": "abc.com", "csv": {"id": 12345, "name": "credentials.csv", "mimetype": "text/csv", "is_safe": true, "content": [{"username": "test@abc.com", "password":"1qaz@WSX#EDC"}]}}} We can validate with the json eval function. Note that quotation marks are escaped with a backslash within the string: | makeresults | eval _raw=json("\"alert_data\": {\"domain\": \"abc.com\", \"csv\": {\"id\": 12345, \"name\": \"credentials.csv\", \"mimetype\": \"text/csv\", \"is_safe\": true, \"content\": [{\"username\": \"test@abc.com\", \"password\":\"1qaz@WSX#EDC\"}") No results are returned. Let's correct the JSON and try again: | makeresults | eval _raw=json("{\"alert_data\": {\"domain\": \"abc.com\", \"csv\": {\"id\": 12345, \"name\": \"credentials.csv\", \"mimetype\": \"text/csv\", \"is_safe\": true, \"content\": [{\"username\": \"test@abc.com\", \"password\":\"1qaz@WSX#EDC\"}]}}}") We now have a valid JSON object in the _raw field, and we can use this object to test eval expressions that we'll apply later in a transform. You should correct the source data before proceeding further. Hint: You can correct the data at ingest using a simple eval expression and a transform similar to what I'm describing here. Testing the length of the password is straightforward: | eval length=len(json_extract(_raw, "alert_data.csv.content{}.password")) | eval is_password_meet_complexity=if(length >= 8, "Yes", "No") You haven't provided a list of special characters, but we'll assume they're drawn from the list of printable ASCII characters. Using PCRE character classes, we have: Numbers or digits: [[:digit:]] Uppercase letters: [[:upper:]] Lowercase letters: [[:lower:]] Punctuation characters: [[:punct:]] We can test the password against these to determine whether it contains a character matching the class: | makeresults | eval _raw=json("{\"alert_data\": {\"domain\": \"abc.com\", \"csv\": {\"id\": 12345, \"name\": \"credentials.csv\", \"mimetype\": \"text/csv\", \"is_safe\": true, \"content\": [{\"username\": \"test@abc.com\", \"password\":\"1qaz@WSX#EDC\"}]}}}") | eval length=len(json_extract(_raw, "alert_data.csv.content{}.password")) | eval digit=if(match(json_extract(_raw, "alert_data.csv.content{}.password"), "[[:digit:]]"), 1, 0) | eval upper=if(match(json_extract(_raw, "alert_data.csv.content{}.password"), "[[:upper:]]"), 1, 0) | eval lower=if(match(json_extract(_raw, "alert_data.csv.content{}.password"), "[[:lower:]]"), 1, 0) | eval punct=if(match(json_extract(_raw, "alert_data.csv.content{}.password"), "[[:punct:]]"), 1, 0) | eval is_password_meet_complexity=if(length >= 8 AND (digit + upper + lower + punct) >= 3, "Yes", "No") We can now combine the tests into a single expression: | makeresults | eval _raw=json("{\"alert_data\": {\"domain\": \"abc.com\", \"csv\": {\"id\": 12345, \"name\": \"credentials.csv\", \"mimetype\": \"text/csv\", \"is_safe\": true, \"content\": [{\"username\": \"test@abc.com\", \"password\":\"1qaz@WSX#EDC\"}]}}}") | eval is_password_meet_complexity=if(len(json_extract(_raw, "alert_data.csv.content{}.password")) >= 8 AND (if(match(json_extract(_raw, "alert_data.csv.content{}.password"), "[[:digit:]]"), 1, 0) + if(match(json_extract(_raw, "alert_data.csv.content{}.password"), "[[:upper:]]"), 1, 0) + if(match(json_extract(_raw, "alert_data.csv.content{}.password"), "[[:lower:]]"), 1, 0) + if(match(json_extract(_raw, "alert_data.csv.content{}.password"), "[[:punct:]]"), 1, 0)) >= 3, "Yes", "No") and use that expression to add the is_password_meet_complexity key to the object: | makeresults | eval _raw="{\"alert_data\": {\"domain\": \"abc.com\", \"csv\": {\"id\": 12345, \"name\": \"credentials.csv\", \"mimetype\": \"text/csv\", \"is_safe\": true, \"content\": [{\"username\": \"test@abc.com\", \"password\":\"1qaz@WSX#EDC\"}]}}}" | eval _raw=json_set(_raw, "alert_data.csv.content{0}.is_password_meet_complexity", if(len(json_extract(json(_raw), "alert_data.csv.content{}.password")) >= 8 AND (if(match(json_extract(json(_raw), "alert_data.csv.content{}.password"), "[[:digit:]]"), 1, 0) + if(match(json_extract(json(_raw), "alert_data.csv.content{}.password"), "[[:upper:]]"), 1, 0) + if(match(json_extract(json(_raw), "alert_data.csv.content{}.password"), "[[:lower:]]"), 1, 0) + if(match(json_extract(json(_raw), "alert_data.csv.content{}.password"), "[[:punct:]]"), 1, 0)) >= 3, "Yes", "No")) {"alert_data":{"domain":"abc.com","csv":{"id":12345,"name":"credentials.csv","mimetype":"text/csv","is_safe":true,"content":[{"username":"test@abc.com","password":"1qaz@WSX#EDC","is_password_meet_complexity":"Yes"}]}}} With "password":"NotComplex": {"alert_data":{"domain":"abc.com","csv":{"id":12345,"name":"credentials.csv","mimetype":"text/csv","is_safe":true,"content":[{"username":"test@abc.com","password":"NotComplex","is_password_meet_complexity":"No"}]}}} Finally, we can use the eval expression in the INGEST_EVAL setting of a transform: # props.conf [json_sourcetype] TRANSFORMS-password_complexity = password_complexity SEDCMD-password = s/\"password\"\:\s+\"\S{6}([^ ]*)/"password":"******\1/g # transforms.conf [password_complexity] INGEST_EVAL = _raw=json_set(_raw, "alert_data.csv.content{0}.is_password_meet_complexity", if(len(json_extract(json(_raw), "alert_data.csv.content{}.password")) >= 8 AND (if(match(json_extract(json(_raw), "alert_data.csv.content{}.password"), "[[:digit:]]"), 1, 0) + if(match(json_extract(json(_raw), "alert_data.csv.content{}.password"), "[[:upper:]]"), 1, 0) + if(match(json_extract(json(_raw), "alert_data.csv.content{}.password"), "[[:lower:]]"), 1, 0) + if(match(json_extract(json(_raw), "alert_data.csv.content{}.password"), "[[:punct:]]"), 1, 0)) >= 3, "Yes", "No")) Note that your sample includes a single object in the content array. If you have multiple objects in your array, we'll need to refactor the solution to accommodate them. Also note that we've used json(_raw) and json_extract(json(_raw), "alert_data.csv.content{}.password") repeatedly. There may be a way to optimize the expression and reduce the number of times the json and json_extract functions are called per event. Finally note that we don't have to use json functions to analyze the password. If "password":"value" only appears once and is well-formed, we can match against _raw directly; however, escaped quotes as in "password":"val\"ue" pose a challenge. I'll leave all of the above to you as an exercise.