All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

It's a relatively old thread but I'll add my three cents. Assuming we're pondering deleting events from the index based on which an accelerated datamodel summary is created (without DAS the answer t... See more...
It's a relatively old thread but I'll add my three cents. Assuming we're pondering deleting events from the index based on which an accelerated datamodel summary is created (without DAS the answer to the question is obvious because the search from datamodel is simply translated to raw event search and executed against indexed events), as long as the deleted data is within the backfill range, I'd expect the summarization search to adjust the summary accordingly on the next scheduled run. If the deleted data falls into summary range but out of backfill range, I would expect the summary to stay untouched because there is no mechanism to update the summary.
Did you just move your lookup or did you adjust field names as well?
Hello @Pastea, You can try this https://community.splunk.com/t5/All-Apps-and-Add-ons/Addon-Builder-Configuration-Pages-Don-t-Work-on-a-Search-Head/m-p/679681/thread-id/80304
Moving lookup after chart fetch nothing.
Hello @cameronjust , You can use a setting in the server.conf called conf_replication_include to force the replication of the file containing the accounts. https://docs.splunk.com/Documentatio... See more...
Hello @cameronjust , You can use a setting in the server.conf called conf_replication_include to force the replication of the file containing the accounts. https://docs.splunk.com/Documentation/Splunk/9.2.1/Admin/Serverconf After creating an account, the account_file is created in the local folder of your app. Example: [shclustering] conf_replication_include.<app_account_file_without_extension> = true
I have the latest(?) Splunk VSCode extension on my splunk instance. That instance is on my laptop too. If you are trying to use remote instance you must use correct node name and port on settings.jso... See more...
I have the latest(?) Splunk VSCode extension on my splunk instance. That instance is on my laptop too. If you are trying to use remote instance you must use correct node name and port on settings.json instead of localhost. I'm not sure if I have run this against another splunk instances or only towards my on dev/test at the same node than running viscode.
Hi @czql5v  So, what I  mean by it may be elsewhere, is say for example, a software engineer develops an authentication application, they may well log data in the log files to show why the user's ... See more...
Hi @czql5v  So, what I  mean by it may be elsewhere, is say for example, a software engineer develops an authentication application, they may well log data in the log files to show why the user's log is failing along side other events. Now for Microsoft they log a lot of events, and do they actually log why?, yes for some, example eventID 4625 is bad password and we know that, and we can look for that. As you said its not a bad a password, so this is really a Microsoft related issue, its not Splunk. Splunk is designed to ingest logs file, as you have done via AD, and we search those logs to find information, but if that data, eventID or information is not in the log file then we can can't search for it. May be look at some of Microsoft forums and post a question there, they may be able to help debug the issue or even tell you what eventID that is to this issue, if there is such an eventID.      
Hi @David.Teng, Thanks for asking your question on the Community and then sharing the solution! Glad you were able to figure it out.
Hi Deepakc, In the details of the search in Splunk I can see that there is a logon account which I search on - also a source source workstation at least 3 different ones with the eventcode=4776 and ... See more...
Hi Deepakc, In the details of the search in Splunk I can see that there is a logon account which I search on - also a source source workstation at least 3 different ones with the eventcode=4776 and 3 different hosts which are the Domain Controllers of the domain.  I assume the hosts are where the user is attempting to validate credentials. Does this mean that the user is attempting to validate from different workstations and the validation will go to the nearest DC in the Domain.  So I assume the source workstation is where the user is attempting to login from?  Regards.
Hi Deepakc, The user is definitely not typing the wrong password. What happens is that his account gets locked out when he is actually logging in after he has been of his machine to get a cup of tea... See more...
Hi Deepakc, The user is definitely not typing the wrong password. What happens is that his account gets locked out when he is actually logging in after he has been of his machine to get a cup of tea or something similar. When you say "if its not in the event data" what do you mean by that. Where would i see event data. I hope the above helps. Regards.    
Thanks @isoutamo  I  made your suggested changes, including created a new token. Unforutnately, it didn't work.  WARN: call not properly authenticated There is zeero usable info on the Internet ab... See more...
Thanks @isoutamo  I  made your suggested changes, including created a new token. Unforutnately, it didn't work.  WARN: call not properly authenticated There is zeero usable info on the Internet about this error. Plus, when I run a Wireshark capture the token and other info indicates the authentication is not leaving my PC. The issue appears to be within VSCode and the Splunk Extension. Thanks and God bless.  Genesius      
Try doing your lookup after the chart index=application_na sourcetype=my_logs:hec source=my_Logger_PROD retrievePayments* returncode=Error | rex field=message "Message=.* \((?<apiName>\w+?) -" ... See more...
Try doing your lookup after the chart index=application_na sourcetype=my_logs:hec source=my_Logger_PROD retrievePayments* returncode=Error | rex field=message "Message=.* \((?<apiName>\w+?) -" | chart count over client by apiName | lookup My_Client_Mapping client OUTPUT ClientID ClientName Region
OK I don't use delete very often (nobody does), but you could try something like this index=test [| search index=test | stats min(change_set) as change_set by source | format]  
The problem is not in use of case, but in regex you applied. (I think this very same problem was discussed recently.  Is this another homework question?)  There is an unnecessary asterisk (*) at the ... See more...
The problem is not in use of case, but in regex you applied. (I think this very same problem was discussed recently.  Is this another homework question?)  There is an unnecessary asterisk (*) at the end of several expressions.  But that's not necessarily a real problem.  There is also a code choice of case vs if; the latter would be more expressive and concise in your use case.  But that's not a problem, either. The problem is that the regex's probably do not match data.  For volunteers to help you, you need to post output from index=mulesoft environment=DEV applicationName="Test" |stats values(content.FileName) as Filename1 values(content.ErrorMsg) as errormsg values(content.Error) as error values(message) as message values(priority) as priority min(timestamp) AS Logon_Time, max(timestamp) AS Logoff_Time BY correlationId (Anonymize as needed.)  If you ask a data analytics question, you need to illustrate data.
This was my original query to get the list of apis that failed for a client. I have more details of the client in the lookup table. How can I extract that in the `chart`.  index=application_na sour... See more...
This was my original query to get the list of apis that failed for a client. I have more details of the client in the lookup table. How can I extract that in the `chart`.  index=application_na sourcetype=my_logs:hec source=my_Logger_PROD retrievePayments* returncode=Error | rex field=message "Message=.* \((?<apiName>\w+?) -" | lookup My_Client_Mapping client OUTPUT ClientID ClientName Region | chart count over ClientName by apiName This shows the data like  ClientName RetrievePaymentsA RetrievePaymentsB RetrievePaymentsC Client A 2 1 4 Client B 2 0 3 Client C 5 3 1 How can I add other fields to the output like this ClientId ClientName Region RetrievePaymentsA RetrievePaymentsB RetrievePaymentsC             Any help will be appreciated.
I tried something like this  index=abc ("Aggregator * is Error" OR "Aggregator * is Up") NJ12GC102 | rex field=_raw "Aggregator\s(?<aggregator>[^\s]+)\sis\s(?<aggregator_status>\w+)\s" | streamstat... See more...
I tried something like this  index=abc ("Aggregator * is Error" OR "Aggregator * is Up") NJ12GC102 | rex field=_raw "Aggregator\s(?<aggregator>[^\s]+)\sis\s(?<aggregator_status>\w+)\s" | streamstats current=t global=f window=2 range(_time) as time_diff by aggregator,aggregator_status | streamstats current=t global=f window=2 range(_time) as time_diff2 by aggregator | table _time aggregator aggregator_status time_diff time_diff2 | But the output is now what I needed. For that I would need to change the window=2, but it brings more issues.    
Start here - it shows the basics    https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-search-best-practices.html  Here are all the many different commands with SPL with examples  ... See more...
Start here - it shows the basics    https://www.splunk.com/en_us/blog/customers/splunk-clara-fication-search-best-practices.html  Here are all the many different commands with SPL with examples  - once you have developed the basic concepts, you can start to apply various commands for your use cases.  https://docs.splunk.com/Documentation/SplunkCloud/9.1.2312/SearchReference/ListOfSearchCommands  
You haven't answered my key questions about data.  Is there is a data ingestion problem that causes corrupt JSON snippet? (The data in your original illustration is NOT compliant.)  Do you have an "e... See more...
You haven't answered my key questions about data.  Is there is a data ingestion problem that causes corrupt JSON snippet? (The data in your original illustration is NOT compliant.)  Do you have an "event" field from Splunk?  If yes, can you post an example? (Anonymize as needed.)  Can you post corrected raw event? (Anonymize as needed.) Without correct data, you cannot expect any good result.
If its not in the event data its difficult to say what's the root cause, Splunk only reports whats in the logs not the root cause, but that could be elsewhere in some log. That said, its normally m... See more...
If its not in the event data its difficult to say what's the root cause, Splunk only reports whats in the logs not the root cause, but that could be elsewhere in some log. That said, its normally mistyped password's, bad password, etc. Check the Group Policy settings related to account lockout policies, password policies, and Kerberos policies with the AD admin. Ensure that these policies are configured correctly and not excessively restrictive. What about some malware or Unauthorized Access thats causing it, so it could be a number if things. It might be worth speaking to the user and ask them to show you what they are doing, so you can see and spot any obvious mistakes, they may be doing, I have also experienced in the past, odd keyboard keys/characters / locale settings that are being used could also be the cause.
what is the best approach to run splunk queries