All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thanks, this works but only gives me one transaction in the result
{ "correlationId" : "3df40a3e4f07-b3ae-8b3ab12fa904", "timestamp" : "2024-04-03T08:12:12.071Z", "content" : { "FileName" : "Liability.csv.pgp" }, "applicationName" : "p-abk-finance-a... See more...
{ "correlationId" : "3df40a3e4f07-b3ae-8b3ab12fa904", "timestamp" : "2024-04-03T08:12:12.071Z", "content" : { "FileName" : "Liability.csv.pgp" }, "applicationName" : "p-abk-finance-api", "applicationVersion" : "1.0.1" { "correlationId" : "3df40a3e-4f07-b3ae-8b3ab12fa904", "timestamp" : "2024-04-03T08:12:11.218Z", "content" : { "message" : "Workday successful", "FileList" : [ "_Liability_Accrual.csv.pgp" ], "FileName" : "" }, "applicationName" : "p-abk-finance-api", { "correlationId" : "3df40a3e-4f07-b3ae-8b3ab12fa904", "timestamp" : "2024-04-03T08:12:10.212Z", "content" : { "FileName" : "" }, "applicationName" : "p-abk-finance-api", "applicationVersion" : "1.0.1", "applicationVersion" : "1.0.1" Please find above events
There doesn't appear to be anything wrong with what you are doing (I am unable to reproduce what you are seeing with dummy data). I have to conclude it is something about your actual data. Please can... See more...
There doesn't appear to be anything wrong with what you are doing (I am unable to reproduce what you are seeing with dummy data). I have to conclude it is something about your actual data. Please can you share some anonymised representative sample events which demonstrate the issue you are seeing?
Hi @SanjayReddy    Thank you for your reply.   Unfortunatelly, this is not working since your proposed commend will display the same fields as in the menu Fields>calculated fields. I think the is... See more...
Hi @SanjayReddy    Thank you for your reply.   Unfortunatelly, this is not working since your proposed commend will display the same fields as in the menu Fields>calculated fields. I think the issue is more related to the authorisations.  I am 100% sure that I allowed my role to read/write the newly created varaible. But I can't find it.   Regards.
Hello there, I'm newbie to splunk and need your help please to forward syslog logs coming to splunk to another third party linux server. I can clearly see on my SH instance, that there are logs with ... See more...
Hello there, I'm newbie to splunk and need your help please to forward syslog logs coming to splunk to another third party linux server. I can clearly see on my SH instance, that there are logs with sourcetype=syslog. but when I use a heavy forwarder to forward these logs I receive nothing. I configured teh receiving of heavy forwarder to listen to 9997. then my sources would send their logs to the HV using 9997. The HF also transmit all he receives to Splunk SH on 9997 and i'm also trying to transmit syslog to third party server. when I configure the outputs with the following configuration for syslog . I receive nothing on my server. [syslog] defaultGroup=syslogGroup [syslog:syslogGroup]   and when I just use [tcpout:custom_group] server = ip:port sendCookedData = false I receive all kind of data and none is tagged with sourcetype. although i can see among them syslog event, but they are not tagged properly.   Please help me out. Thanks in advance
Bingo. It figured out that data comes from indexers; simply, NOT the ones where ES is able to perform query. It exists another cluster that produce this data, but where SH with ES is not able to per... See more...
Bingo. It figured out that data comes from indexers; simply, NOT the ones where ES is able to perform query. It exists another cluster that produce this data, but where SH with ES is not able to perform query. Thanks for your help.
@richgalloway   I was mentioning that by using below query : i can limit the result to show only title and definition |rest /servicesNS/-/-/admin/macros |table title,definition  Would there ... See more...
@richgalloway   I was mentioning that by using below query : i can limit the result to show only title and definition |rest /servicesNS/-/-/admin/macros |table title,definition  Would there be a way to do the same with rest API call for macro : https://*****:8089/servicesNS/-/-/admin/macros?output_mode=json  While using above api call with postman , i am getting all the fields of results but i am interested in getting the result limited to show only "title" and "Definition"  . Like below i am getting all fields , can i restrict the results to show only name and Definition of macro { "links": { "create": "/servicesNS/-/-/admin/macros/_new", "_reload": "/servicesNS/-/-/admin/macros/_reload", "_acl": "/servicesNS/-/-/admin/macros/_acl" }, "origin": "https://52.226.64.218:8089/servicesNS/-/-/admin/macros", "updated": "2024-04-29T13:11:40+00:00", "generator": { "build": "78803f08aabb", "version": "9.2.1" }, "entry": [ { "name": "3cx_supply_chain_attack_network_indicators_filter", "id": "https://52.226.64.218:8089/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter", "updated": "1970-01-01T00:00:00+00:00", "links": { "alternate": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter", "list": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter", "_reload": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter/_reload", "edit": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter", "disable": "/servicesNS/nobody/DA-ESS-ContentUpdate/admin/macros/3cx_supply_chain_attack_network_indicators_filter/disable" }, "author": "nobody", "acl": { "app": "DA-ESS-ContentUpdate", "can_change_perms": true, "can_list": true, "can_share_app": true, "can_share_global": true, "can_share_user": false, "can_write": true, "modifiable": true, "owner": "nobody", "perms": { "read": [ "*" ], "write": [ "admin" ] }, "removable": false, "sharing": "global" }, "content": { "definition": "search *", "description": "Update this macro to limit the output results to filter out false positives.", "disabled": false, "eai:acl": null, "eai:appName": "DA-ESS-ContentUpdate", "eai:userName": "nobody" } } ], "paging": { "total": 2195, "perPage": 30, "offset": 0 }, "messages": [] }
Yes,let me explain. This the query the table filename is empty.But when add the field value directly in table for example i added FIle1 in the table its showing the values.if i use File1 directly its... See more...
Yes,let me explain. This the query the table filename is empty.But when add the field value directly in table for example i added FIle1 in the table its showing the values.if i use File1 directly its showing but why its not showing in filename. |stats values(filename) as  File1 values(FileName) as File2 |eval filename=colsec(File1,File2) |table filename  File1 In the result: filename File1   Test
Hello, Splunk community!  I have created a correlation search with the following search string:  index="kali2_over_syslog" ((PWD=/etc AND cmd=*shadow) OR (PWD=* cmd=*/etc/shadow)) OR ((PWD=/... See more...
Hello, Splunk community!  I have created a correlation search with the following search string:  index="kali2_over_syslog" ((PWD=/etc AND cmd=*shadow) OR (PWD=* cmd=*/etc/shadow)) OR ((PWD=/etc AND cmd=*passwd) OR (PWD=* cmd=*/etc/passwd)) | eval time=strftime(_time, "%D %H:%M") | stats values(host) as "host" values(time) as "access time" values(executer) as "user" count by cmd | where 'count'>0 When I use it in search and reporting app and executing "sudo cat /etc/shadow" on the monitored linux machine it catches this event.  The rest of the settings of that correlation search are the same as in my other correlation search, which I used as a template. That another correlation search works well and notable events are getting generated as well as the email notification is sent.  The only difference is that I am not using any datamodel in my search because I have a small test lab and I only have one machine on which I want to monitor the following activity. Can it be that I must use the CIM-validated data models in my search, so that correlation search actually works fine and generates notable events? I am new to Splunk, so I am sorry if my question is a bit unclear or weird, let me know if you need additional information
This is what my solution does - how does it not do what you expect? Please provide examples
Thanks! This query gives some answer.  However, I still have to find the one with this situation: I have another alert for non-200 response codes. For this one I want to see if three consecutive 200... See more...
Thanks! This query gives some answer.  However, I still have to find the one with this situation: I have another alert for non-200 response codes. For this one I want to see if three consecutive 200 responses, take more than 10 seconds totally. That means I will create an alert about this. So the query should result only this three consecutive 200 responses that together take more that 10 seconds.
You are going to have to be more specific - what are you currently doing? what are your current results? what results would you like to get? what do your current events look like? etc.
Hi @anel, tis health check is related to the last 24 hours, are you sure that in this period you don't have delayed searches? You can check this in the Monitoring Console. Anyway, it's not possibl... See more...
Hi @anel, tis health check is related to the last 24 hours, are you sure that in this period you don't have delayed searches? You can check this in the Monitoring Console. Anyway, it's not possible to reset this alert, you have only to wait for the time. Ciao. Giuseppe
I have another alert for non-200 response codes. For this one I want to see if three consecutive 200 responses, take more than 10 seconds totally. That means I will create an alert about this.
I wonder if you’re storing the data in the SH somehow. In the SH where you can query the data check the splunk_server field to see where the SH is pulling the data from. If everything was right you w... See more...
I wonder if you’re storing the data in the SH somehow. In the SH where you can query the data check the splunk_server field to see where the SH is pulling the data from. If everything was right you would see listed some or all indexers (depending on how well balanced the data is distributed among indexers for the time interval you selected)
Hi all, 5 days ago we got an issue with delayed searches.  This is fixed and we did not have skipped or delayed searches since. However, the warning is not disappearing.  Is there a way to manuall... See more...
Hi all, 5 days ago we got an issue with delayed searches.  This is fixed and we did not have skipped or delayed searches since. However, the warning is not disappearing.  Is there a way to manually trigger a recheck, mark this as acknowledged or any other way of making this warning go away?   
where to use isnotnull() .The value File1 and File2 comes from stats values.And where to check.
That worked! Thank you so much. This is exactly what I was needing. 
Any links to where I could raise non-technical support? 
There are isnull() and isnotnull() functions which can be used to evaluate whether the field is null or not