All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi Team, We are also configuring the Microsoft teams using http request template and controller has reverse proxy. and its throwing error connection refused.   We have tried proxy connection on con... See more...
Hi Team, We are also configuring the Microsoft teams using http request template and controller has reverse proxy. and its throwing error connection refused.   We have tried proxy connection on controller host and its connecting. Kindly suggest. Regards, Pallavi Lohar
Thanks, I'll review the maxQueueSize If the warning count was higher, such as 20 in your example. What would be the best way to determine a good value (in bytes) for maxSendQSize to avoid the slow ... See more...
Thanks, I'll review the maxQueueSize If the warning count was higher, such as 20 in your example. What would be the best way to determine a good value (in bytes) for maxSendQSize to avoid the slow indexer scenario?
Is this a ChatGPT answer - firstly the OP does not mention having the Splunk Enterprise Security app - A&I framework is part of ES and your example search seems to be related to a query that would po... See more...
Is this a ChatGPT answer - firstly the OP does not mention having the Splunk Enterprise Security app - A&I framework is part of ES and your example search seems to be related to a query that would populate an Identity registry in ES rather than anything to do with the OP's post. Secondly, the technique of search NOT [| inputlookup...] technique should never be recommended without a big warning on the use of subsearches which can perform terribly - I recently fixed a search using a NOT subsearch that was taking 18 minutes to evaluate the NOT criteria and reduced it to 9 seconds. Certainly, a lookup of users to validate against can be a valid solution, but this would depend on whether the OP wants to find a new user's first ever login vs checking if the user has not logged in for 30 days, which is not clear.  
You can fetch results of lookup using search: | inputlookup your_lookup.csv Replacing lookup data would be: ```your search here``` | outputlookup your_lookup.csv And then you can add(append)... See more...
You can fetch results of lookup using search: | inputlookup your_lookup.csv Replacing lookup data would be: ```your search here``` | outputlookup your_lookup.csv And then you can add(append) rows using: ```your search here``` | outlookup append=true your_lookup.csv
You need historic data of users to compare. You would need to configure Assets&Identities or save users to simple lookup. You can store results daily, weekly, monthly using this search: index=yo... See more...
You need historic data of users to compare. You would need to configure Assets&Identities or save users to simple lookup. You can store results daily, weekly, monthly using this search: index=your_users_index ``` Add or configure neccessary fields | eval bunit="your_bunit", startDate=strftime(now(),"%Y-%m-%d %H:%M:%S"), | stats count by email, identity, nick, UserId, "first", "last", JobTitle, phone, bunit, work_country, work_city, startDate | table email, identity, nick, UserId, "first", "last", JobTitle, phone, bunit, work_country, work_city, startDate | search NOT [| inputlookup users.csv | fields email ] | outputlookup append=true users.csv And later you can sort users startDate using this search: | inputlookup users.csv | sort - startDate Or get last month's new users: | inputlookup users.csv | eval epoch=strptime(startDate, "%Y-%m-%d %H:%M:%S") | where epoch>relative_time(now(), "-20d")
Hi All, My props and transforms is not working. Kept the props and transforms in the Heavy Forwarder. can anyone please assist. I want to drop the below lines from ingesting into Splunk but its n... See more...
Hi All, My props and transforms is not working. Kept the props and transforms in the Heavy Forwarder. can anyone please assist. I want to drop the below lines from ingesting into Splunk but its not working. #Date: 2024-05-03 00:00:01 #Fields: date time s-sitename s-computername s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken https props: [mysourcetype] TRANSFORMS-drop_header= drop_header Transforms: [drop_header] REGEX = ^#Date.+\n#Fields.+ DEST_KEY = queue FORMAT = nullQueue
Let this be a lesson for all who ask questions: Illustrate/explain your data (anonymize as needed), your desired result, and explain the logic between data and desired result in plain language withou... See more...
Let this be a lesson for all who ask questions: Illustrate/explain your data (anonymize as needed), your desired result, and explain the logic between data and desired result in plain language without SPL.  SPL should be after all the explanations, before illustrating the actual result from SPL, then explain why that result is different from desired one if it is not painfully obvious. Secondly, posting SPL without formatting discourages volunteers.  Third, SPL (and raw data) is best illustrated in code box.  Let me help so other volunteers do not have to do the hard work.     index=hum_stg_app "msg.OM_MsgType"=REQUEST msg.OM_Body.header.transactionId=* "msg.service_name"="fai-np-notification" "msg.OM_Body.header.templateType"=vsf_device_auth_otp_template "msg.OM_Body.header.channelType{}"=sms "msg.OM_Body.header.organization"=VSF | rename msg.OM_Body.header.transactionId as transactionId | eval lenth=len(transactionId) | sort 1000000 _time | dedup transactionId _time | search lenth=40 | rename _time as Time1 | eval Request_time=strftime(Time1,"%y-%m-%d %H:%M:%S") | stats count by Time1 transactionId Request_time | appendcols [| search index=hum_stg_app earliest=-30d fcr-np-sms-gateway "msg.service_name"="fcr-np-sms-gateway" "msg.TransactionId"=* "msg.NowSMSResponse"="{*Success\"}" | rename "msg.TransactionId" as transactionId_request | sort 1000000 _time | dedup transactionId_request _time | eval Time=case(like(_raw,"%fcr-np-sms-gateway%"),_time) | eval lenth=len(transactionId_request) | search lenth=40 | dedup transactionId_request | stats count by transactionId_request Time ] | eval Transaction_Completed_time=strftime(Time,"%y-%m-%d %H:%M:%S") | eval Time_dif=Time-Time1 | eval Time_diff=(Time_dif)/3600 | fields transactionId transactionId_request Request_time Transaction_Completed_time count Time_diff Request_time Time Time1     I took the pain to reverse engineer your intentions.  One thing I cannot understand is why you expect appendcols to not misalign transactionId between request and response. (I am quite convinced that Time_diff is only meaningful only when transactionId and transactionId_request match when there is such a field name such as transactionId.)  Additionally, using subsearch in the same dataset should be used only as a last resort.  This type of transaction-based calculations do not warrant such use. Let me try mind-reading a bit and state the goal of your search: Calculate the difference between the time request is send and the time response indicates completion for the same transactionId.  To do this, simply search both the request event and completion event in one search, then do a stats to find time range, the earliest (request) time and the latest (completion) time.  Like this index=hum_stg_app (("msg.OM_MsgType"=REQUEST msg.OM_Body.header.transactionId=* "msg.service_name"="fai-np-notification" "msg.OM_Body.header.templateType"=vsf_device_auth_otp_template "msg.OM_Body.header.channelType{}"=sms "msg.OM_Body.header.organization"=VSF) OR (fcr-np-sms-gateway "msg.service_name"="fcr-np-sms-gateway" "msg.TransactionId"=* "msg.NowSMSResponse"="{*Success\"}")) | eval transactionId = coalesce('msg.OM_Body.header.transactionId', 'msg.transactionId') | eval lenth=len(transactionId) | sort 1000000 _time | dedup transactionId _time | search lenth=40 | stats range(_time) as Time_diff min(_time) as Request_time max(_time) as Transaction_Completed_time by transactionId | eval Time_diff=Time_diff/3600 Two notes: I see you inserted earliest=-30d in the sub search (for completion message).  I do not know how that value is relative to earliest in the main search (for request message), so the above didn't adjust for that.  If anything, I assume that the request message has to be earlier, so the search window would necessarily be larger (or equal). Between Request_time (min) and Transaction_Completed_time (max), only one is necessary because Time_diff is already calculated by range.  I put both there to validate that range is not negative. (range function will always return positive number, so before taking one of those times out, do some testing.)
Try this index="cdr" "Tipo_Trafico"="*" "Codigo_error"="*" | eval Error_{Codigo_error}=if(Codigo_error="69" OR Codigo_error="10001", 1, 0) | stats count(eval(Tipo_Trafico="MT")) AS Total_MT sum(Err... See more...
Try this index="cdr" "Tipo_Trafico"="*" "Codigo_error"="*" | eval Error_{Codigo_error}=if(Codigo_error="69" OR Codigo_error="10001", 1, 0) | stats count(eval(Tipo_Trafico="MT")) AS Total_MT sum(Error_*) as Error_* | foreach Error_* [ eval Error_<<MATCHSTR>>_P=(('<<FIELD>>'*100/Total_MT)), ThresholdExceeded=if(Error_<<MATCHSTR>>_P > 10, 1, coalesce(ThresholdExceeded, 0)) ] | where ThresholdExceeded>0
Since I can get it to show me when the percentage of errors 69 and 10001 is greater than 10, with the following search it doesn't work, you can help me. index="cdr" | search "Tipo_Trafico"="*" "Cod... See more...
Since I can get it to show me when the percentage of errors 69 and 10001 is greater than 10, with the following search it doesn't work, you can help me. index="cdr" | search "Tipo_Trafico"="*" "Codigo_error"="*" | stats count(eval(Tipo_Trafico="MT")) AS Total_MT, count(eval(Codigo_error="69")) AS Error_69 | eval P_Error_69=((Error_69*100/Total_MT)) | stats count(eval(Tipo_Trafico="MT")) AS Total_MT, count(eval(Codigo_error="10001")) AS Error_10001 | eval P_Error_10001=((Error_10001*100/Total_MT)) | stats count by P_Error_69, P_Error_10001 | where count>10
If warning count is 1, then it's not a big issue.  What it indicates is out of maxQueueSize bytes tcpout queue, one connection has occupied a large space. Thus TcpOutputProcessor will get pauses. ma... See more...
If warning count is 1, then it's not a big issue.  What it indicates is out of maxQueueSize bytes tcpout queue, one connection has occupied a large space. Thus TcpOutputProcessor will get pauses. maxQueueSize is per pipeline and is shared by all target connections per pipeline. You may want to increase maxQueueSize( double the size).
This setting definitely looks useful for slow receivers, but how would I determine when to use it, and an appropriate value? For example you have mentioned: WARN AutoLoadBalancedConnectionStrategy ... See more...
This setting definitely looks useful for slow receivers, but how would I determine when to use it, and an appropriate value? For example you have mentioned: WARN AutoLoadBalancedConnectionStrategy [xxxx TcpOutEloop] - Current dest host connection nn.nn.nn.nnn:9997, oneTimeClient=0, _events.size()=20, _refCount=2, _waitingAckQ.size()=4, _supportsACK=1, _lastHBRecvTime=Thu Jan 20 11:07:43 2024 is using 20214400 bytes. Total tcpout queue size is 26214400. Warningcount=20  I note that you have Warningcount=20, a quick check in my environment shows Warningcount=1, if i'm just seeing the occasional warning I'm assuming tweaking this setting would be of minimal benefit?   Furthermore, how would I appropriately set the bytes value? I'm assuming it's per-pipeline, and the variables involved might relate to volume per-second per-pipline, any other variables? Any example of how this would be tuned and when?   Thanks
Hi All, I'm working hard to create a SIEM dashboard that has the AH list: higher priority :1)ab 2)CD 3)if 4)GH rest of the AH: 5)IJ 6)kl 7)MN for each of these systems, I need a list of hosts as... See more...
Hi All, I'm working hard to create a SIEM dashboard that has the AH list: higher priority :1)ab 2)CD 3)if 4)GH rest of the AH: 5)IJ 6)kl 7)MN for each of these systems, I need a list of hosts associated with the AH and what is currently being ingested from the AH.  
Hi @davilov, Here's a way I've found to hide/show a panel based on a dropdown. It depends on 3 steps: Define a dropdown with options for each panel you'd like to show/hide, in this example I've c... See more...
Hi @davilov, Here's a way I've found to hide/show a panel based on a dropdown. It depends on 3 steps: Define a dropdown with options for each panel you'd like to show/hide, in this example I've called the token "show_panel", and we choose to show/hide two panels or show them all. Set your panel visualisations to hide when there is no data, under the "Visibility" setting:   Update the searches for your visualisations to compare a known string (i.e. the possible token values) to the current token value:   ``` I only want to show this panel if we have selected "Bar Chart" from the drop down:``` | eval _show="Bar Chart" | search _show="$show_panel$" | fields - _show​   You can get a bit fancier by creating chain searches to compare the text so that the search doesn't rerun every time you change the dropdown.   Here's a sample dashboard:   { "visualizations": { "viz_QNQd730H": { "type": "splunk.table", "title": "Table of data", "dataSources": { "primary": "ds_BGrBVi8Q" }, "hideWhenNoData": true }, "viz_JM2qhOeK": { "type": "splunk.bar", "title": "Bar Chart", "dataSources": { "primary": "ds_KD6bNQc9" }, "options": { "xAxisTitleText": "Time", "xAxisLineVisibility": "show", "yAxisTitleText": "Score", "yAxisLineVisibility": "show", "yAxisMajorTickVisibility": "show", "yAxisMinorTickVisibility": "show" }, "hideWhenNoData": true } }, "dataSources": { "ds_BGrBVi8Q": { "type": "ds.search", "options": { "query": "| windbag\n| table source, sample, position\n| eval _show=\"Table\"\n| search _show=\"$show_panel$\"\n| fields - _show" }, "name": "table_search" }, "ds_KD6bNQc9": { "type": "ds.search", "options": { "query": "| gentimes start=-7\n| eval score=random()%500\n| eval _time = starttime\n| timechart avg(score) as score\n| eval _show=\"Bar Chart\"\n| search _show=\"$show_panel$\"\n| fields - _show" }, "name": "barchart" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-24h@h,now" }, "title": "Global Time Range" }, "input_hs0qamAf": { "options": { "items": [ { "label": "All", "value": "*" }, { "label": "Bar Chart", "value": "Bar Chart" }, { "label": "Table", "value": "Table" } ], "defaultValue": "*", "token": "show_panel" }, "title": "Choose you panel", "type": "input.dropdown" } }, "layout": { "type": "grid", "options": { "width": 1440, "height": 960 }, "structure": [ { "item": "viz_QNQd730H", "type": "block", "position": { "x": 0, "y": 0, "w": 720, "h": 400 } }, { "item": "viz_JM2qhOeK", "type": "block", "position": { "x": 720, "y": 0, "w": 720, "h": 400 } } ], "globalInputs": [ "input_global_trp", "input_hs0qamAf" ] }, "description": "https://community.splunk.com/t5/Dashboards-Visualizations/Conditionally-show-hide-panels-based-on-dropdown-selection-in/m-p/686803#M56222", "title": "Splunk Answers Post" }    
I'm having the same exact issue ... data looks fine in the event, looks fine in even a classic dashboard stats table, but in DS it's all messed up. Adding a space before the string doesn't fix it eit... See more...
I'm having the same exact issue ... data looks fine in the event, looks fine in even a classic dashboard stats table, but in DS it's all messed up. Adding a space before the string doesn't fix it either. =\ This column just has data in it's that's a combo of letters and numbers, for example: 00882b87 There are times where all the leading zeroes are not there, other times where they are. There doesn't seem to be a pattern here. All I know is that it makes a day's worth of effort building this dashboard a complete waste of time.
This can tell you if the user's first login is the same as his last - hopefully this will give you some pointers index=data earliest=-30d | bin _time span=1d | stats count by _time user | eventstat... See more...
This can tell you if the user's first login is the same as his last - hopefully this will give you some pointers index=data earliest=-30d | bin _time span=1d | stats count by _time user | eventstats min(_time) as first max(_time) as last by user | where first = last  
I would take issue with some of the statements as "best practice" for logging standards. We often find developer friendly formats, such as JSON cause large ingestion volumes compared to the value of ... See more...
I would take issue with some of the statements as "best practice" for logging standards. We often find developer friendly formats, such as JSON cause large ingestion volumes compared to the value of the data contained in the JSON. The ratio of field names to usable field values can typically be 50% and often developer logging frameworks will just dump out JSON objects with empty field values, which is a real cost. I often see clients hitting their ingestion licence limits then having to push back to developers who have written dashboards on their data, asking them to shrink their data. Anyway, as to your question, if you want to count how many of CategoryA are true and how many false, if false is not written, you can only extrapolate the false count to be the total count - true count, on the assumption that all events are implicitly false. Therefore you need to know the data to be able to make those searches. It's fine to have things like cat_a=true or categorya=1 - however, if you have 100 million events per day, then use =1, not =true, so you save 300MB/day ingestion cost  also mapping a "true" to something you can count on is more expensive instead of doing this simple wildcarding logic of | stats sum(cat_*) as cat_* if you have predictable naming conventions. Please also do not write full Java class names in the logs, e.g org.apache.catalina.bla.bla.bla as this has no value and just costs in licence ingest. Most logging frameworks have the ability to abbreviate package names to a single character and there is rarely ambiguity in class names.
Here is my example search to start... index=data | timechart span=1d by user Now, I am trying to build out so the last 30 days I can get a count of new users that has not been seen on previous da... See more...
Here is my example search to start... index=data | timechart span=1d by user Now, I am trying to build out so the last 30 days I can get a count of new users that has not been seen on previous days.  Tried some bin options and something like this but no joy.  index=data | stats min(_time) as firstTime by user | eval isNew=if(strftime(firstTime, "%Y-%m-%d") == strftime(_time, "%Y-%m-%d"), 1, 0) | where isNew=1 Any help?   
A lot to unpack here, but please whenever you post SPL, please put it in a code block using the </> icon in the UI Firstly, you have a number of challenging commands, appendcols, dedup, sort Based ... See more...
A lot to unpack here, but please whenever you post SPL, please put it in a code block using the </> icon in the UI Firstly, you have a number of challenging commands, appendcols, dedup, sort Based on your use of sort 100000 it implies you have a reasonable volume of data. If you have your first search that returns 3 results and you then have appendcols that returns 2 or 4 or NOT 3 or an ANY different order then the columns will not align. Using sort early on is a bad choice, it will cause performance issues and if you have more than 100000 items, they will be truncated, so can also caused problems with your appencols if truncation occurs. Your first search logic could be changed to more efficient with index=hum_stg_app "msg.OM_MsgType"=REQUEST msg.OM_Body.header.transactionId=* "msg.service_name"="fai-np-notification" "msg.OM_Body.header.templateType"=vsf_device_auth_otp_template "msg.OM_Body.header.channelType{}"=sms "msg.OM_Body.header.organization"=VSF | rename msg.OM_Body.header.transactionId as transactionId | stats earliest(_time) as Time1 count by transactionId | eval lenth=len(transactionId) | where length=40 | eval Request_time=strftime(Time1,"%y-%m-%d %H:%M:%S") which I believe is doing what you are trying to do. The same principle applies to the second search. Is your time range in the appendcols search the same as the outer search? Is transactionId from the first search supposed to be the same as transactionId_request? You can probably combine these to a single search, but if these two transaction Ids are the same, you would be safer using append rather than appendcols and then doing a final stats by common_tx_id to join the two data sets together. Can you give more detail on how they are different - and when diagnosing these, find a small data set where you can reproduce the issue.  
Add in <change> <set token="selected_label">$label$</set> </change>
Ok. Back up a little. You have a file. It's supposed to be a certificate (possibly with a certificate chain from trusted rootCA). How did you get it? Did you send someone a CSR to obtain a cert? Did... See more...
Ok. Back up a little. You have a file. It's supposed to be a certificate (possibly with a certificate chain from trusted rootCA). How did you get it? Did you send someone a CSR to obtain a cert? Did you just get a cert because you mailed/called/faxed/whatever someone and told them "hey, we need a cert"? And the most important question here is - do you have a private key corresponding to that cert?