All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

What do you mean by "distribute license"?  Licenses are not distributed.  They're installed on the LM and the other instances contact the LM. What exactly are you trying to do and how exactly are yo... See more...
What do you mean by "distribute license"?  Licenses are not distributed.  They're installed on the LM and the other instances contact the LM. What exactly are you trying to do and how exactly are you trying to do it?
Hi Team, I have a active Servcenow ticket and email notification integration setup already for splunk alerts.  I am trying to add tokens which show me query result in serviceNow ticket descriptio... See more...
Hi Team, I have a active Servcenow ticket and email notification integration setup already for splunk alerts.  I am trying to add tokens which show me query result in serviceNow ticket description as same as we are getting in email notification when we check  Inline Table fields. can you help me to add same in serviceNow ticket as well. so that I can get query result in ticket as well. right now its showing me only title of the alerts. due to which I need to go to splunk every time when alert trigger  and need to run alerts search to validate alerts manually.      
pls can you elaborate 
HI everyone, I need to check my logs to see if a user has MFA enabled or not. I've already configured Microsoft Azure App for Splunk, as all the other data is coming through. Additionally, I can see... See more...
HI everyone, I need to check my logs to see if a user has MFA enabled or not. I've already configured Microsoft Azure App for Splunk, as all the other data is coming through. Additionally, I can see 'azure:monitor:aad' logs. Can someone help me understand what changes need to be made on the Azure side to be able to view these logs? Thank you in advance.
I keep getting an error when trying to distribute the license from the license manager. Won't allow me to distribute license, session either times out or get error code different each time. Any hel... See more...
I keep getting an error when trying to distribute the license from the license manager. Won't allow me to distribute license, session either times out or get error code different each time. Any help would be greatly appreciated.   Thanks -David 
Hi @whitecat001, open the Monitoring Console and go in the Search section: [Settings > Monitoring Console > Search] to find what you need. Ciao. Giuseppe
Hi @triva79 , good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated by all the contributors
Hi @dude49, open a case to Splunk Support! remember to prepare a diag of your SH to send them. Ciao. Giuseppe
Pls can i get a query that shows statistics on search activity in splunk 
Search Head GUI is not working. Found error in the splunk.d logs, not sure if it pertains to why gui is down. Anyone have experience with this happening? SH GUI is not responding, looked into the log... See more...
Search Head GUI is not working. Found error in the splunk.d logs, not sure if it pertains to why gui is down. Anyone have experience with this happening? SH GUI is not responding, looked into the logs and found this error. Anyone have an experience with this or know of any fix? TsidxStats - sid:summarize_1591771322.7666 Failed to contact the server endpoint https://127.0.0.1:8089 from touchSummary()
still its not working
thanks so much only my 2nd day using Splunk
@triva79  How about... | timechart span=1h limit=50 useother=false dc(userName) as count by userName or maybe... | eval session=userName+":"+sessionKey | timechart span=1h limit=50 use... See more...
@triva79  How about... | timechart span=1h limit=50 useother=false dc(userName) as count by userName or maybe... | eval session=userName+":"+sessionKey | timechart span=1h limit=50 useother=false dc(session) as count by session
Sometimes Splunk is forgiving when it comes to data types, sometimes it isn't - this is one of those! | timechart span=1d sum(abc) by xyz | where strftime(_time,"%w") = "1"
Its throwing an error   
Solved. The issue was related to this configuration sgement:   [serverClass:spoke_hf] whitelist.0 = <HF1_ip_address>, <HF1_ip_address> Searching better into documentation, I found that comma sepa... See more...
Solved. The issue was related to this configuration sgement:   [serverClass:spoke_hf] whitelist.0 = <HF1_ip_address>, <HF1_ip_address> Searching better into documentation, I found that comma separated IP address list is not supported. After I switched to: whitelist.0 = <HF1 IP Address> whitelist.1 = <HF2 IP Address> Issue went away.
Hi Splunkers, we have a SH with Splunk Enterprise Security installed on it. It is a standalone instance that query some indexers clusters. We are going on about configure it and we loaded some .csv f... See more...
Hi Splunkers, we have a SH with Splunk Enterprise Security installed on it. It is a standalone instance that query some indexers clusters. We are going on about configure it and we loaded some .csv file for Asset and identity management. Once ewe uploaded those files, when we ran a search we got this situation: the search is executed, but erros about inability to load lookups that store merged asset and identity data in Splunk Enterprise Security are collected. Error syntax is the following:   [<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-_risk_system [<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-dest [<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-dvc [<indexers listed here>] Could not load lookup=LOOKUP-zu-asset_lookup_by_str-src [<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-_risk_system [<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-dest [<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-dvc [<indexers listed here>] Could not load lookup=LOOKUP-zv-asset_lookup_by_cidr-src   First think I thought: ok, this is probably a permission issue. BTW, even when I execute the search with admin user that loaded .csv in assent and identity inventory, I got the same error.  I can add that we modified some OOT DM, to add some fields needed by our SOC. What could be the root cause?
Try something like this | timechart span=1d sum(abc) by xyz | where strftime(_time,"%w") = 1
The session is only present 3 times in the hour, the fourth one at 13:00 is in the next hour Anyway, assuming you still want to count different sessions for the same user separately, you can do the ... See more...
The session is only present 3 times in the hour, the fourth one at 13:00 is in the next hour Anyway, assuming you still want to count different sessions for the same user separately, you can do the stats twice | bin _time span=1h | stats count by _time, userName, sessionKey | stats count by _time, userName Depending on what count you actually want, you could also do this | bin _time span=1h | stats count by _time, userName, sessionKey | stats count by _time
Hi @triva79, you could use timechart or dedup: <your_search> | timechart span=1h count BY userName Ciao. Giuseppe