All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Has anyone attempted to enable all the correlation searches in the "Use Case Library" for enterprise security? There are over 1,000 correlation searches. Will this impact the performance of the Sea... See more...
Has anyone attempted to enable all the correlation searches in the "Use Case Library" for enterprise security? There are over 1,000 correlation searches. Will this impact the performance of the Search Head (SH) and indexer? If I have 1,000 EPS, what hardware resources would be required? Alternatively, what minimum hardware resources are needed to enable all the correlation searches in the use case library? Thank you.
Hi,   We recently changed the tsidxWritingLevel from 1 to 4 for performance and space-saving. Is there any way to check if the above modification has improved the performance and space in our envir... See more...
Hi,   We recently changed the tsidxWritingLevel from 1 to 4 for performance and space-saving. Is there any way to check if the above modification has improved the performance and space in our environment   Thanks
Hello @gcusello  But source doesn't contain any duplicate fields while sending to Splunk & they are appearing  only if we search within particular app.  As said earlier, If I run the same query out... See more...
Hello @gcusello  But source doesn't contain any duplicate fields while sending to Splunk & they are appearing  only if we search within particular app.  As said earlier, If I run the same query outside the app, I don't see these duplicate field values. My users don't have permissions to run the searches outside their app so they see duplicate entries every time. 
As richgalloway write.  There should be one License Manager and all servers that need License should talk to that server on port 8089 (can be changed).  Servers running full splunk like Search Head, ... See more...
As richgalloway write.  There should be one License Manager and all servers that need License should talk to that server on port 8089 (can be changed).  Servers running full splunk like Search Head, Heavy forwarders, Indexes, HEC etc needs to be able to talk to LM Server.
I tried using the 'isnull' and 'isnotnull' functions, but received the same 'false' result for both.
@harishlnu if you have one of the more recent versions of SOAR then it now has a forwarder on it with the ability to send a lot of different logs to Splunk via the UF embedded in the platform. There ... See more...
@harishlnu if you have one of the more recent versions of SOAR then it now has a forwarder on it with the ability to send a lot of different logs to Splunk via the UF embedded in the platform. There is a huge amount of data in these logs that could be teased out into SPL Alerts.  Are you able to advise what kind of things you are looking to monitor? OS Health can be done using the *nix Splunk Add-on, playbook/action failure is in the logs as well as access data via the wsgi.log file. Daemon logs, such as decided/ingestd/etc can also provide data about functionality and these are also able to be sent to Splunk via the Forwarder Settings in Administration in SOAR.    -- Hope this helps! Happy SOARing --
Hi @Yashvik, as I said, these are your logs and we cannot change them, you can only display them only one time to avoid unuseful duplications. In addition, this is very frequent having json logs. ... See more...
Hi @Yashvik, as I said, these are your logs and we cannot change them, you can only display them only one time to avoid unuseful duplications. In addition, this is very frequent having json logs. For this reason, I hint to use stats to display your logs in Statistics (and dashboard Panels) even if, in the raw logs you have duplicated values in some fields. You shouldn't modify your logs, they are as they are and you use them displaying what you need. Ciao. Giuseppe
How is the data being onboarded?  IOW, what is the method for getting the events to Splunk? -- Have installed the universal forwarder and added monitor stanza in it. and then uf will send the logs t... See more...
How is the data being onboarded?  IOW, what is the method for getting the events to Splunk? -- Have installed the universal forwarder and added monitor stanza in it. and then uf will send the logs to intermediate fwd and then to indexer Are there any errors in the logs? There is no error even in debug mode How have you determined the events are not indexed? The index newly created and there is no events found in it.  Have verified the log event timestamp and searched the events in search head at same time
We have installed the universal forwarder and the events are forwarded to intermediate forwarder from the splunk uf and then it sent to indexer. But i could the host internal logs are being ingested... See more...
We have installed the universal forwarder and the events are forwarded to intermediate forwarder from the splunk uf and then it sent to indexer. But i could the host internal logs are being ingested into splunk. Only the file is not getting monitored
Hi, I'm looking for my next role and wanted to reach out to the community for guidance on where to look for roles that use AppDynamics as I would love to continue working with this amazing technology... See more...
Hi, I'm looking for my next role and wanted to reach out to the community for guidance on where to look for roles that use AppDynamics as I would love to continue working with this amazing technology and helping improve online experiences Thanks Sunil
Hi @gcusello  Thanks, however actual issue is fields duplication. Please find the attached screenshot and you will see some fields contains duplicate values (cid, cluster, container_id, container_na... See more...
Hi @gcusello  Thanks, however actual issue is fields duplication. Please find the attached screenshot and you will see some fields contains duplicate values (cid, cluster, container_id, container_name etc).  I'd like to understand why they are showing 2 values instead of one. 
In a Dashboard Studio: I applied drilldown to one of the standard icons and linked to another dashboard. The goal is to view the linked dashboard upon clicking on the icon, and it works. However, p... See more...
In a Dashboard Studio: I applied drilldown to one of the standard icons and linked to another dashboard. The goal is to view the linked dashboard upon clicking on the icon, and it works. However, people get distracted when they place mouse upon the icon and the export and Full screen icons pump up. Is there a way to disable this default unneeded functionality so nothings pumps up on mouse hovering over an icon ?   @elizabethl_splu 
Hi @Kaushaas, clicking on the Edit option for your dashboard, you can choose the "Edit Permissions" choice to edit the permissions to access your dashboard and all your Knowledge Objects. Ciao. Gi... See more...
Hi @Kaushaas, clicking on the Edit option for your dashboard, you can choose the "Edit Permissions" choice to edit the permissions to access your dashboard and all your Knowledge Objects. Ciao. Giuseppe
I am not seeing option to make my dashboard public or shared please guide 
Interesting that you didn't do exactly as I suggested, but this should also work. What exactly is not working?
Hi @venkatasri    Do you have query for to check health alerts using Splunk App for SOAR. Kindly help me on this   Regards, Harisha
Hey @tejasode , To check why the app console is currently not opening, it should be better to check splunkd.log and web_service.log. Apart from that for alternative solution, as I mentioned #3757 (S... See more...
Hey @tejasode , To check why the app console is currently not opening, it should be better to check splunkd.log and web_service.log. Apart from that for alternative solution, as I mentioned #3757 (Splunk Add-on for Microsoft Azure) has inputs to collect data from Azure Security Center.  Additionally, if you're able to stream the CAS logs to eventhub, you can also go for configuring #3110 (Splunk Add-on for Microsoft Cloudservices) inputs. It is also a supported add-on and is CIM compliant as well.  Thanks, Tejas.
Hello @Santosh2 , There's a bit of typo in the search command for using the selected site token. You've typed seach instead of search. Also, if you're using search command, you need to filter it on ... See more...
Hello @Santosh2 , There's a bit of typo in the search command for using the selected site token. You've typed seach instead of search. Also, if you're using search command, you need to filter it on the basis of key value search. Host specific dropdown should look like this: | makeresults | eval site="BDC", host="jboss.cloud.com" | fields site host | append [| makeresults | eval site="BDC", host="ulkoy.cloud.com" | fields site host] | append [| makeresults | eval site="BDC", host="ualki.cloud.com" | fields site host] | append [| makeresults | eval site="BDC", host="hyjki.cloud.com" | fields site host] | append [| makeresults | eval site="SOC", host="uiy67.cloud.com" | fields site host] | append [| makeresults | eval site="SOC", host="7hy56.cloud.com" | fields site host] | append [| makeresults | eval site="SOC", host="ju5e.cloud.com" | fields site host] | append [| makeresults | eval site="SOC", host="mjut.cloud.com" | fields site host] | search site="$site$" | dedup host | sort host | table host   Thanks, Tejas.   --- If the above solution helps an upvote is appreciated.
Hi @splunky_diamond , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Hi @yoongchean It might be because makeresults generates the _time field, which Splunk automatically puts on the x axis when no chart options are specified. Try simply removing the _time field with  ... See more...
Hi @yoongchean It might be because makeresults generates the _time field, which Splunk automatically puts on the x axis when no chart options are specified. Try simply removing the _time field with  | fields - _time