All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Ugh....sorry.  I modified data in the examples as I was typing my last response, and didn't update each "table" as needed.  Here are correct values.  Sorry for the confusion!  I didn't see an option ... See more...
Ugh....sorry.  I modified data in the examples as I was typing my last response, and didn't update each "table" as needed.  Here are correct values.  Sorry for the confusion!  I didn't see an option to edit or delete my last response. Sourcetype=autos VIN MAKE MODEL 1234ABCD FORD GT ABCD1234 DODGE VIPER 1A2B3C4D CHEVROLET CORVETTE A1B2C3D4 AUDI     Sourcetype=cars SN MANUFACTURER PRODUCT 1234ABCD FORD GT ABCD1234 DODGE CARAVAN 1A2B3C4D CHEVY CORVETTE A1B2C3D4   A8   I'd like to compare the two sourcetypes and see the results where VIN=SN, but MAKE!=MANUFACTURER OR MODEL!=PRODUCT. (Caveat - if any events in either sourcetype contain a null value, they can be ignored/excluded by the search.) From the example data above, ideally the search would display the following fields, and results would contain these two events (because VIN and SN match, but "VIPER" does not equal "CARAVAN", and "CHEVROLET" does not equal "CHEVY").   VIN MAKE MODEL SN MANUFACTURER PRODUCT ABCD1234 DODGE VIPER ABCD1234 DODGE CARAVAN 1A2B3C4D CHEVROLET CORVETTE 1A2B3C4D CHEVY CORVETTE   Sorry again for the confusion.
Thanks for the response, Bowesmana.  Understood. Here are sourcetypes and field data examples. Sourcetype=autos VIN MAKE MODEL 1234ABCD FORD GT 1A2B3C4D CHEVROLET CORVETTE ABCD12... See more...
Thanks for the response, Bowesmana.  Understood. Here are sourcetypes and field data examples. Sourcetype=autos VIN MAKE MODEL 1234ABCD FORD GT 1A2B3C4D CHEVROLET CORVETTE ABCD1234 DODGE VIPER A12B3C4D AUDI     Sourcetype=cars SN MANUFACTURER PRODUCT 1234ABCD FORD GT ABCD1234 CHEVY CORVETTE 1A2B3C4D DODGE CARAVAN A1B2C3D4   A8   I'd like to compare the two sourcetypes and see the results where VIN=SN, but MAKE!=MANUFACTURER OR MODEL!=PRODUCT. (Caveat - if any events in either sourcetype contain a null value, they can be ignored/excluded by the search.) From the example data above, ideally the search would display the following fields, and results would contain these two events (because VIN and SN match, but "CHEVROLET" does not equal "CHEVY", and "VIPER" does not equal "CARAVAN").   VIN MAKE MODEL SN MANUFACTURER PRODUCT 1A2B3C4D CHEVROLET CORVETTE 1A2B3C4D CHEVY CORVETTE ABCD1234 DODGE VIPER ABCD1234 DODGE CARAVAN   Hope this helps to clarify.  Please let me know if you have any questions or suggestions.  I appreciate your help!
Thank you, good catch. Not sure how I messed that up. I have corrected that error now, but I still do not get multiple fields extracted from this single extraction.
hey @gcusello , JSON extractions will not work for this. The full event is not in JSON, only the data portion example event (without all of the claims)... TID: [-1234]  [2024-05-21 17:40:35,777] [... See more...
hey @gcusello , JSON extractions will not work for this. The full event is not in JSON, only the data portion example event (without all of the claims)... TID: [-1234]  [2024-05-21 17:40:35,777] [asdf-asdf-asdf-asdf-asdf ] INFO {AUDIT_LOG} - Initiator=initiator Action=action Target=target Data= {"Claims":{ "http://wso2.org/claims/username":"user", "http://wso2.org/claims/role":"role"}}
That's strange at every midnight  - sounds like gremlins are out to play! A few things you can check that may give you some clues (And as you have already stated its always better to use UF's/SC4S a... See more...
That's strange at every midnight  - sounds like gremlins are out to play! A few things you can check that may give you some clues (And as you have already stated its always better to use UF's/SC4S and not direct to Splunk, this is really for small environments/POCs etc.  As the HF is a full Instance and will parse data/forward etc, it might be worth having a look at the TcpOutputProc in Splunkd.log - or index=_internal sourcetype=splunkd host(YOUR HOST) log_level=WARN OR log_level=ERROR TcpOutputProc via Splunk search bar Else check for any ERROR's for the HF.  You might find some clues around, timeout, Queues being full or some invalid configuration. Perhaps increase the log level on the HF - can also be done via gui /opt/splunk/bin/splunk set log-level TcpOutputProc -level DEBUG Remember to turn it off after! - can also be done via gui /opt/splunk/bin/splunk set log-level TcpOutputProc -level INFO You could also do some checks on the Performance, memory, CPU / disk - get some of those stats, I have seen where the HF's used as syslog receivers with large volumes of streaming data stop the HF functioning, but that was at different times.  Optional and if you have enough memory and this is not the issue,   you could try to increase the memory queue size, server.conf on the HF and see if that helps.  example:  [queue] maxSize=<5000MB> I have also seen where a vulnerability scanner was preventing Splunk from not responding  at regular intervals. 
Hello Splunk Community, I'm encountering an issue with configuration replication in Splunk Cloud Victoria Experience when using search head clusters behind a load balancer. Here's the scenario: I h... See more...
Hello Splunk Community, I'm encountering an issue with configuration replication in Splunk Cloud Victoria Experience when using search head clusters behind a load balancer. Here's the scenario: I have developed a private custom search command app that requires some user configuration. For this purpose, I've added a custom config file in the /etc/apps/<appname>/default directory. Additionally, I've configured the app.conf as follows:   [triggers] reload.<custom_conf> = simple [shclustering] deployer_push_mode = full   I've also included a server.conf inside etc/apps/<appname>/default with the following configuration: [shclustering] conf_replication_include.<custom_conf_name> = true When attempting to install this private app using the install_app_from_file option in a Splunk Cloud Victoria Experience with search head clusters behind a load balancer, it appears that the app configuration is not being replicated across search heads. Could someone please assist me in identifying if there's anything I'm missing or doing incorrectly? Thank you. Avnish
Hi @gcusello  This the query which i am trying to map Interfacename and link .So i appended the inputlookup with base query .In base query also i have interface name.So i am trying to map the valu... See more...
Hi @gcusello  This the query which i am trying to map Interfacename and link .So i appended the inputlookup with base query .In base query also i have interface name.So i am trying to map the values.But the link is not populating in the table. index="mulesoft" environment=PRD | rename content.payload.Status as Status | append [ inputlookup link.csv | table Link InterfaceName] | stats values(content.payload.InterfaceName) as payLoadInterface values(content.payload.ErrorMessage) as ErrorMsg earliest(timestamp) as Timestamp values(priority) as Priority values(tracePoint) as Tracepoint values(Link) as Link values(InterfaceName) as Interface by correlationId | eval names = if ( isnull ( mvfind ( message, "DISABLED" ) ), null, message ) | eval Response= coalesce(SuccessResponse,Successresponse,msg,names,ErrorMsg) | eval InterfaceName= coalesce(Interface,payLoadInterface) | table Status Timestamp InterfaceName Link Response correlationId message Priority Tracepoint|fields - message Tracepoint Priority|search InterfaceName="*" | where Status LIKE ("%")|sort -Timestamp  
Hi @jreuter_splunk. Including @xpac, @Kyle_Jackson, @ben_leung, @tsteens, @muebel, @gjanders as well, since they were active on the "Is there a REST API call to apply shcluster-bundle with the deplo... See more...
Hi @jreuter_splunk. Including @xpac, @Kyle_Jackson, @ben_leung, @tsteens, @muebel, @gjanders as well, since they were active on the "Is there a REST API call to apply shcluster-bundle with the deployer?" post as well. This solution is fairly old (neary 10 years). Now that we're in 9.x, is there another way to do this? I still wasn't able to find it in the REST API Reference Manual.
I entered your sample table in a lookup zscalerip.csv CIDR 168.246.0.0/16 8.25.203.0/24 64.74.126.64/26 70.39.159.0/24 136.226.158.0/23 (Your original first line 168.246.*.* is... See more...
I entered your sample table in a lookup zscalerip.csv CIDR 168.246.0.0/16 8.25.203.0/24 64.74.126.64/26 70.39.159.0/24 136.226.158.0/23 (Your original first line 168.246.*.* is not a CIDR notation so I speculated it to be misspelling of 168.246.0.0/16.  This is immaterial to the problem at hand.)   [zscalerip.csv] batch_index_query = 0 case_sensitive_match = 1 filename = zscalerip.csv match_type = CIDR(CIDR)   Using the exact search I posted above, the output is src_ip Is_managed_device 10.0.0.0 false 166.226.118.0 false 136.226.158.0 true 185.46.212.0 false 2a03:eec0:1411:: false
Hello. At splunk dashboard visualization charts that display data have their background color set to white (#FFFFFF) by default and it turns to black if I change theme from Light to Dark. I want to f... See more...
Hello. At splunk dashboard visualization charts that display data have their background color set to white (#FFFFFF) by default and it turns to black if I change theme from Light to Dark. I want to find a way to get the same color behavior for Rectangle element. Currently it's default fill color is grey (#c3cbd4) and it turns to dark-grey if I change theme from light to dark. If I change background color of rectangle in settings - it stops changing color when I change the theme. How to make Rectangle element at Splunk dashboard to be white for Light theme and black for Dark theme ? Thanks!  
Could you share that bug report info?  Or a link?  I'd love to track that.  Thanks!
Is "Start Time" an epoch time? If not, you need to parse it to an epoch time before formatting to a different format. Since you are sorting, you should parse, sort, then format.
I attempted a rollback/reinstall but same result.  It appears to be related to the python version that the stack is using (in my case python2). Run the REST command and read the verbiage in the link ... See more...
I attempted a rollback/reinstall but same result.  It appears to be related to the python version that the stack is using (in my case python2). Run the REST command and read the verbiage in the link below.   https://docs.datapunctum.com/ame/ame-before-upgrading Opened a case with support to determine if the stack can be upgraded to python3.  If not, we'll need to turn in a case to have them install AME v2.0.4 which still supports python2. Hope this helps - best idea I have at the moment. 
The problem with both of those is it does not account for the 5 vs 6 hour shift between CDT and CST. That is, solutions like this that use relative_time, manually subtract 5 or 6 hours, but do not d... See more...
The problem with both of those is it does not account for the 5 vs 6 hour shift between CDT and CST. That is, solutions like this that use relative_time, manually subtract 5 or 6 hours, but do not differentiate when to make that shift (March-ish to November-ish), but Splunk has TZ awareness since the user can set their profile. Seems like there should be a way (a function?) to tap into that, but something like relative_time(epoch, "CST6CDT") doesn't seem exist. Many thanks for the great conversation as, per usual, learning!  
Hi @loganramirez , you can use the solution in the shared link or the fuction relative_time in eval. Ciao. Giuseppe
Hello! I am having an issue getting annotations to work within the Dashboard Studio column chart. I have tried a bunch of different ways, but it isn't cooperating. The chart I have is just System_Na... See more...
Hello! I am having an issue getting annotations to work within the Dashboard Studio column chart. I have tried a bunch of different ways, but it isn't cooperating. The chart I have is just System_Name on the X axis and Risk_Score on the Y axis. I'd like to be able to highlight where the System_Name in question shows up on the chart as annotation examples have demonstrated in the documentation. My current code for the chart is as follows. Does anyone have any suggestions as to what I'm doing wrong here? Chart itself: { "type": "splunk.column", "options": { "seriesColorsByField": {}, "annotationColor": "> annotation | seriesByIndex('2')", "annotationLabel": "> annotation | seriesByIndex('1')", "annotationX": "> annotation | seriesByIndex('0')", "legendDisplay": "off" }, "dataSources": { "primary": "ds_abUJLKDj", "annotation": "ds_YPQ3EYqR" }, "showProgressBar": false, "showLastUpdated": false, "context": {} }  Searches: "ds_abUJLKDj": { "type": "ds.search", "options": { "query": "`index` \n| stats latest(Risk_Score) AS Risk_Score by System_Name\n| eval Risk_Score=round(Risk_Score, 2)\n| sort Risk_Score" }, "name": "risk_score_chart" }, "ds_YPQ3EYqR": { "type": "ds.search", "options": { "query": "`index` \n| stats latest(Risk_Score) AS Risk_Score by System_Name\n| eval Risk_Score=round(Risk_Score, 2), color=\"#f44336\", Annotation_Label= (\"The risk score for $system_name$ is \" + Risk_Score) \n| sort Risk_Score\n| where System_Name = \"$system_name$\"\n| table System_Name, Annotation_Label, color" }, "name": "risk_score_chart_annotation"
Hi all, in the past I used a CLI command to disable indicators feature. do you know how can I enable it back?
Thanks, I did a reinstallation. And just to be sure, I had to save + restore \var\lib\splunk Thanks for your help, have a good day
@harishlnu  For the forwarding part: https://docs.splunk.com/Documentation/SOARonprem/6.2.1/Admin/Forwarders  The other element is just using SPL to look for things in the logs sent from SOAR to ... See more...
@harishlnu  For the forwarding part: https://docs.splunk.com/Documentation/SOARonprem/6.2.1/Admin/Forwarders  The other element is just using SPL to look for things in the logs sent from SOAR to Splunk. The Splunk app for SOAR will have docs on what sourcetypes it sends through that would include ingestd.log.  You should have enough information now to do some research and start to develop what you need.  -- Happy SOARing --
Morning, Splunkers. I've got a dashboard that gets some of it's input from an external link. The input that comes in determines which system is being displayed by the dashboard with different settin... See more...
Morning, Splunkers. I've got a dashboard that gets some of it's input from an external link. The input that comes in determines which system is being displayed by the dashboard with different settings through a <change> line in each, then shows the necessary information in a line graph. That part is working perfectly, but what I'm trying to do is set the color of the line graph based on the system chosen, and I'm trying to keep is simple for future edits. I've set the colors I'm currently using in the <init> section as follows:   <init> <set token="red">0xFF3333</set> <set token="purple">0x8833FF</set> <set token="green">0x00FF00</set> </init>   The system selection looks like this:   <input token="system" depends="$NotDisplayed$"> <change> <condition value="System-A"> <set token="index_filter">index_A</set> <set token="display_name">System-A</set> <set token="color">$purple$</set> </condition> <condition value="System-B"> <set token="index_filter">index_B</set> <set token="display_name">System-B</set> <set token="color">$green$</set> </condition> <condition value="System-C"> <set token="index_filter">index_C</set> <set token="display_name">System-C</set> <set token="color">$red$</set> </condition> </change> </input>     I now have a single query window putting up a line graph with the necessary information brought in from the eternal link. Like I said above, that part works perfectly, but what DOESN'T work is the color. Here's what my option field currently looks like:   <option name="charting.fieldColors">{"MyField":$color$}</option>     The idea here is if I add future systems, I don't have to keep punching in hex codes for colors, I just enter a color name token. Unfortunately, what ends up happening is the line graph color is black, no matter what color I use. If I take the $color$ token out of the code and put in the hex code directly it works fine. It also works if I put the hex code directly in the system selection instead of the color name token. Is there a trick to having a token reference another token in a dashboard? Or is this one of those "quit being fancy and do it the hard way" type of things? Any help will be appreciated. Running Splunk 8.2.4, in case it matters.