All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@tlmayes  The Insights App for Splunk (IA4S) at https://splunkbase.splunk.com/app/7186  is a developer app, not a Splunk-supported app. Check out the link below for further details. https://dev.sp... See more...
@tlmayes  The Insights App for Splunk (IA4S) at https://splunkbase.splunk.com/app/7186  is a developer app, not a Splunk-supported app. Check out the link below for further details. https://dev.splunk.com/enterprise/docs/releaseapps/splunkbase/optionsforsubmittingcontent/#Support-content 
Coming in here, years later, to document this for anyone who comes across it. The pagerduty app requires that the user who owns the alert must have, at a minimum, the list_storage_passwords capabi... See more...
Coming in here, years later, to document this for anyone who comes across it. The pagerduty app requires that the user who owns the alert must have, at a minimum, the list_storage_passwords capability. Almost certainly this was the issue here.
Hi @Gustavo.Marconi. Thank you for sharing the solution! 
Hi, This is the path to the element: |spath input=REQUEST output=Memory path=body.equipment{}.memory also this memory is not available in all the REQUEST.So i want only the events with whic... See more...
Hi, This is the path to the element: |spath input=REQUEST output=Memory path=body.equipment{}.memory also this memory is not available in all the REQUEST.So i want only the events with whichever is having the "memory" in the REQUEST. I dont want to display the events without memory  
What is the path to this element?
Using regex and spath commands can be used to extract fields, but it’s easier to INDEXED_EXTRACTIONS= JSON OR KV-mode=json and json data can change. If no events are getting auto extracted then it ... See more...
Using regex and spath commands can be used to extract fields, but it’s easier to INDEXED_EXTRACTIONS= JSON OR KV-mode=json and json data can change. If no events are getting auto extracted then it sounds like your sourcetype may not be applied.  There are some steps/investigations on your part to undertake. Check at the inputs level the data is getting set with your TA props.conf sourcetype you have set - verify this. (The data must be coming in from a JSON file or HEC type of inputs somewhere) Once you know the correct sourcetype, ensure that the KV-mode=json has been applied with other settings such as the below. Note: INDEXED_EXTRACTIONS= SON and KV-mode=json set for the same sourcetype together causes the Splunk software to extract the JSON fields twice: once at index time, and again at search time - advise do not do this, stick to KV-mode=json for now) Analyse the data, and workout out some of the settings – (known as magic 6)  for props.conf such as in the example below. Tip - Ideally you should always place new data into a test index and get the props working and the place into production once its all working as expected.   Example props   [my:json:data:sourcetype] KV_MODE = json #Tune the below to make Splunk more efficient MAX_TIMESTAMP_LOOKAHEAD = (look no further in the data for timestamp) SHOULD_LINEMERGE = false (leave default) TIME_PREFIX = (REGEX before the timestamp) TIME_FORMAT = (Check your time stamp and format it- example - %Y-%m-%d %H:%M:%S%:Z) TRUNCATE = 10000 (Leave as default, may need tuning) LINE_BREAKER = (REGEX to Work out where to break the line)     Apply the above to your TA based on your specific, deploy, test and adjust as required. Also, there may already be a props TA if this data is common data source from Splunkbase have you checked that?
This might be a completely different issue. You're not talking about searching directly from the raw data but some fancy operations and the final result of some more complicated search which doesn't ... See more...
This might be a completely different issue. You're not talking about searching directly from the raw data but some fancy operations and the final result of some more complicated search which doesn't necessarily mean that the ingested data is bad. Try running the subsearch as a separate search and see if it returns (any/proper) results. Also take note of how long the search takes and how many results it returns. Since you're using join with a subsearch, it's quite probable that this might be the culprit here - join is usually best avoided. Especially if used with a search for indexed events. Especially if it's run over a relatively long period.
Hi @m92 , I added eariest and latest because you have _time in your searches, but you can ignore them. Ciao. Giuseppe
Hi @HugheJass , use this field in the conditions status.errorCode=* status.errorCode=0 status.errorCode!=0 or 'status.errorCode'=* 'status.errorCode'=0 'status.errorCode'!=0 Ciao. Giuseppe
Hi @Amadou, the main issue in developing a Splunk search is to know what to search, then you can use the SPL for searching the rules that you defined in your knowledge of the technology to monitor. ... See more...
Hi @Amadou, the main issue in developing a Splunk search is to know what to search, then you can use the SPL for searching the rules that you defined in your knowledge of the technology to monitor. I don't know what's your technology to monitor, as I said in my sample: if you are using windows EventCode=4625 menas log fail. So what are the conditions that you need to search? if you need to search a value in a field (e.g. EventCode=4625) you an use this field, if you need to search a string (e.g. "login successful"), you can search for this string. Did you tried to follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/8.1.0/SearchTutorial/WelcometotheSearchTutorial) to be guided in the use of SPL? Ciao. Giuseppe
OK. So you can see that if you substitute the token with actual value, you're gonna get something that makes no sense index="mscloud" userPrincipalName="some_username" status.errorCode=!=0 Since to... See more...
OK. So you can see that if you substitute the token with actual value, you're gonna get something that makes no sense index="mscloud" userPrincipalName="some_username" status.errorCode=!=0 Since token replacement is just a simple text substitution, you might need something like that: index="mscloud" userPrincipalName="$UserID$" status.errorCode$errorCode$ (and define your choices as "=*", "=0", "!=0" respectively) or do index="mscloud" userPrincipalName="$UserID$" $errorCode$ and define your choices as whole conditions ("status.errorCode=0" and so on)
Hi @Real_captain, this is one the few cases to use transaction command: index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA ... See more...
Hi @Real_captain, this is one the few cases to use transaction command: index=events_prod_cdp_penalty_esa source="SYSLOG" (TERM(NIDF=RPWARDA) OR TERM(NIDF=SPWARAA) OR TERM(NIDF=SPWARRA) OR PIDZJEA OR IDJO20P) | transaction startswith="IDJO20P" endswith="PIDZJEA" | table _time eventcount Ciao. Giuseppe
Hello, Good day! MS Graph API duplicate email ingestion into Splunk SOAR:  We have Splunk SOAR v 6.1.1, and the Graph API v3, the ingestion settings are polling selected to interval and every 4 min... See more...
Hello, Good day! MS Graph API duplicate email ingestion into Splunk SOAR:  We have Splunk SOAR v 6.1.1, and the Graph API v3, the ingestion settings are polling selected to interval and every 4 minutes. We are noticing duplicate ticket/email ingestion every 4 minutes causing our playbook (label_change) to error out with Validation error and could not update the record Re: SOAR Could not update record due to Validation... - Splunk Community Appreciate your guidance in advance!  
sure . Will take this. Thanks for your feedback
1. Please, don't post the same content in several messages. It's enough to post it once. (also - text in a preformatted paragraph or code box is worth several screenshots). 2. For "please help asap"... See more...
1. Please, don't post the same content in several messages. It's enough to post it once. (also - text in a preformatted paragraph or code box is worth several screenshots). 2. For "please help asap" you go to your local Splunk consultants and pay for their services. This is a community-driven forum where people voluntarily help others. Remarks like this can have the opposite effect on their motivation to answer you.
The output of each of those commands will contain settings for all outputs and all inputs respectively so the size of the output might differ. But if you find any given input or output stanza, you ca... See more...
The output of each of those commands will contain settings for all outputs and all inputs respectively so the size of the output might differ. But if you find any given input or output stanza, you can compare the effective configs for this configuration element.
hahah and I was just thinking we are getting there... So I went through events and can confirm that I have one event per .csv line. I don't see any additional information injected in the events, ot... See more...
hahah and I was just thinking we are getting there... So I went through events and can confirm that I have one event per .csv line. I don't see any additional information injected in the events, other than "," in the fields that are empty (in the .csv file). My search first pulls in some data and does filtering and then: | rename Letter as Y_Field | table A_Field, B_Field, Y_Field | join type=left Y_Field [ search earliest=-24h host="AAA" index="BBB" sourcetype="CCC" | eval dateFile=strftime(now(), "%Y-%m-%d") | where like(source,"%".dateFile."%XXX.csv") | rename "Target Number" as Y_Field | eval Y_Field=lower(Y_Field) | fields Y_Field, Field, "Field 2", "Field 3"] | table A_Field, B_Field, Y_Field, Field, "Field 2", "Field 3" I also wonder if the issue might be with the common field for both the search and the events information, as I have to rename it to match. I tested with renaming the field in the search, tested with renaming the filed in the data pulled from the index and tested by renaming both to something different - but no luck. As I mentioned earlier the data in index is injected daily, so the search looks for the latest csv. When I run this search, I get results for A_Field, B_Field, and Y_Field, but Field, "Field 2" and "Field 3" are empty. 
Hi  Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch... See more...
Hi  Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch a report with the events that are only having "memory" in the REQUEST.(Not all events have this "memory" in the REQUEST). Please help asap.   My existing query is: index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" |rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\"" |spath input=REQUEST output=AccountNumber path=body.customer{}.accountNumber |spath input=REQUEST output=IMEI path=body.equipment{}.serialNumber |spath input=REQUEST output=Channel path=headers{}.Channel |spath input=RESPONSE output=Memory path=body.model{}.redemptionEquipmentMemory |spath input=RESPONSE output=TransactionRefNo path=body.model{}.transactionReferenceNumber |table AccountNumber IMEI Channel Memory TransactionRefNo |sort TransactionRefNo
My existing query is : index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" |rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\"" |spath input... See more...
My existing query is : index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" |rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\"" |spath input=REQUEST output=AccountNumber path=body.customer{}.accountNumber |spath input=REQUEST output=IMEI path=body.equipment{}.serialNumber |spath input=REQUEST output=Channel path=headers{}.Channel |spath input=RESPONSE output=Memory path=body.model{}.redemptionEquipmentMemory |spath input=RESPONSE output=TransactionRefNo path=body.model{}.transactionReferenceNumber |table AccountNumber IMEI Channel Memory TransactionRefNo |sort TransactionRefNo
Hi  Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch... See more...
Hi  Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch a report with the events that are only having "memory" in the REQUEST.(Not all events have this "memory" in the REQUEST). Please help asap. My existing query is: index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem" |rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\"" |spath input=REQUEST output=AccountNumber path=body.customer{}.accountNumber |spath input=REQUEST output=IMEI path=body.equipment{}.serialNumber |spath input=REQUEST output=Channel path=headers{}.Channel |spath input=RESPONSE output=Memory path=body.model{}.redemptionEquipmentMemory |spath input=RESPONSE output=TransactionRefNo path=body.model{}.transactionReferenceNumber |table AccountNumber IMEI Channel Memory TransactionRefNo |sort TransactionRefNo