All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

You should not be instaling indexes on the SH - this is just for search purposes - data is stored on on the indexers and your indexes to should be set there . From your comment "so the collected l... See more...
You should not be instaling indexes on the SH - this is just for search purposes - data is stored on on the indexers and your indexes to should be set there . From your comment "so the collected logs are stored in the search head's index"... this is not the way The App/Add-on contain knowledge objects which are used for things like dashboards and parsing search time data, the TA only should be installed onto the indexer or Heavy forward if that is where the data is sent to first. As to your comment "I set up a new instance for the heavy forwarder on which I install the add-on, and I configure it to forward the indexes to the Indexer."  This is the way forward. 
Yeah that's correct basically these are 4 events. I am putting the config taken from GUI below  
I have an architecture with a single SH and two indexers. I've installed the Splunk for Microsoft 365 add-on on the search head, so the collected logs are stored in the search head's index, but I wan... See more...
I have an architecture with a single SH and two indexers. I've installed the Splunk for Microsoft 365 add-on on the search head, so the collected logs are stored in the search head's index, but I want them to be stored on the indexers.  Here are two other solutions : - Either I continue with the initial setup and select only one indexer amont the two to be the storage location for both the search head's data and the add-on. - Or, I set up a new instance for the heavy forwarder on which I install the add-on, and I configure it to forward the indexes to the Indexer. Which Solution is the best in my case ?   
Hello,  My events are indexed pretty fastly (really close to real time, maybe 1 or 2 seconds delay tops)   I mean when I have the search  index ="*" | where ComputerName="ComputerName" | search E... See more...
Hello,  My events are indexed pretty fastly (really close to real time, maybe 1 or 2 seconds delay tops)   I mean when I have the search  index ="*" | where ComputerName="ComputerName" | search EventCode=4776 I have all events even the one in real time   But whenever I add earliest=-10m latest=-2m for example, then I dont have any result left.
Hi @apomona, the question is: on how many servers do you want to check if the above EventCode isn't present? or, in othe words, have you a monitoring perimeter? if yes, put it in a lookup (called ... See more...
Hi @apomona, the question is: on how many servers do you want to check if the above EventCode isn't present? or, in othe words, have you a monitoring perimeter? if yes, put it in a lookup (called e.g. perimeter.csv) containing at least one column (called host), and then run a search like this: | index=wineventlog sourcetype=xmlwineventlog EventCode=4776 | stats count BY host | append [ | inputlookup | eval count=0 | fields host count ] | stats sum(count) AS total BY host | where total=0 if you haven't a perimeter and you're sure that at least in the last hour you received at least one event with this EventCode, you could try: | index=wineventlog sourcetype=xmlwineventlog EventCode=4776 earliest=-60m@m latest=@m | eval period=if(_time>now()-3600,"Last","Previous") | stats dc(period) AS period_count values(period) AS period latest(_time) AS _time BY host | where period_count=1 AND period="Previous" I prefer the first solution because gives you more control: using the second one, you check only hosts in tha last hour. About the second question, avoid to use Real Time alerts because a Real Time search takes a CPU and doesn't release never! It's alway better to run a scheduled search (e.g. every 5 minutes), choose the frequency more adapt to your requirements. About the condition, using my solution you can trigger the alert when you have results (results>0). Ciao. Giuseppe
Hello,  My events are indexed pretty fastly (really close to real time, maybe 1 or 2 seconds delay tops)  
How quickly are your events getting indexed? For example, if you look at the _indextime field and compare it to the _time field you will notice a lag. If this is over a minute, it could be that the e... See more...
How quickly are your events getting indexed? For example, if you look at the _indextime field and compare it to the _time field you will notice a lag. If this is over a minute, it could be that the events between -2m and -1m are not indexed before -1m and would therefore not show up in your alert search
To get you started here's a number of links for you read and work through In short you need the nix TA, UF and configure inputs and outputs based on your requirements. #This shows you the TA Re... See more...
To get you started here's a number of links for you read and work through In short you need the nix TA, UF and configure inputs and outputs based on your requirements. #This shows you the TA Required (Nix TA) https://splunkbase.splunk.com/app/833 #This shows you the OS Supported = MacOs is listed https://docs.splunk.com/Documentation/AddOns/latest/UnixLinux/About   #Read the release notes https://docs.splunk.com/Documentation/AddOns/released/UnixLinux/Releasenotes And you will need to install a Universal Forwarder for the MacOS + configure outputs and TA inputs https://www.splunk.com/en_us/download/universal-forwarder.html
I am not sure why you are getting different results in Fast and Verbose mode, but there appear to be some oddities with your search: | eval newtime=strftime(_time,"%m/%d/%y %H:%M:%S") This creates ... See more...
I am not sure why you are getting different results in Fast and Verbose mode, but there appear to be some oddities with your search: | eval newtime=strftime(_time,"%m/%d/%y %H:%M:%S") This creates a string - what is the maximum of a string? | stats ... max(newtime) as "event time" Field times does not exist (after previous stats command) | eval times=mvindex(times, 0, 2) I am not sure whether these make a difference though
Hello all,  I am using SplunkCloud I have looking on the forum yesterday in order to create an alert when an Event is not detected.  My idea is to send a mail when the Event 4776 is not detected. ... See more...
Hello all,  I am using SplunkCloud I have looking on the forum yesterday in order to create an alert when an Event is not detected.  My idea is to send a mail when the Event 4776 is not detected.  The closer I have is this :  index ="*" | where ComputerName="ComputerName" | search EventCode=4776 This gives me every event 4776 on the device ComputerName I wanted to add  earliest=-2m@m latest=-1m@m like I saw on different places but the result goes to 0 while I know this event is sent multiple times per second (multiple like 100 times)   Second question, when I save as an Alert, I specify : Real Time,  Trigger when Specified : search count =0  Is this right ? I saw people saying results=0 but I have this error : Cannot parse alert condition. Unknown search command 'results'.. Thanks for the help        
I have a time picker & a time dropdown which has static values.   <panel id="pqr"> <input type="time" token="time"> <label>DateTime</label> <default> <earliest>@d</earliest> <latest>now</latest> </... See more...
I have a time picker & a time dropdown which has static values.   <panel id="pqr"> <input type="time" token="time"> <label>DateTime</label> <default> <earliest>@d</earliest> <latest>now</latest> </default> </input> </panel> <panel id="abc"> <input type="dropdown" token="timedrop"> <label>Time Dropdown</label> <choice value="now">Now</choice> <choice value="+3d">3d</choice> <choice value="+4d">4d</choice> <choice value="+5d">5d</choice> <default>now</default> <change> <eval token="latest_Time">if('timedrop'="now",now(),relative_time(if($time.latest$="now",now(),$time.latest$), $timedrop$))</eval> </change> </input> </panel> The expectation is if Now is selected in timedrop, the data till now should load. If +3d is selected in timedrop, then +3d should be added with the time.latest token (coming from the time picker) and so on. On load (by default Today is selected), the latest_Time is returning NAN, but if I select a specific time range (say 8th April 10AM-11AM) & timedrop as 3d, it is working as expected.
Hi ITWhisperer, exactly this very simple elegant solution I needed. Thank you very much. Works fine.
I am really struggling to add my macos data into splunk just like how we can upload the event logs of windows. is there any add-ons that i can install to help me do this? if there is, can anyone expl... See more...
I am really struggling to add my macos data into splunk just like how we can upload the event logs of windows. is there any add-ons that i can install to help me do this? if there is, can anyone explain how to configure it and make it work? 
Hi,  Below is the dashboard query which works fine for EC2 Port Probe events but rest of the events are not displayed in the dashlet. when we check open in search option, we find events in the event... See more...
Hi,  Below is the dashboard query which works fine for EC2 Port Probe events but rest of the events are not displayed in the dashlet. when we check open in search option, we find events in the event column and not in statistics after changing the mode from fast to verbose. please help here. index="aws_generic" source="aws.guardduty" detail.type=Discovery:S3/AnomalousBehavior* | eval newtime=strftime(_time,"%m/%d/%y %H:%M:%S") | rex field=host (?<service>.*):(?<cloudprovider>.*):(?<region>.*):(?<cluster>.*):(?<role>.*):(?<stagingarea>.*) | stats sparkline(count) as history max(newtime) as "event time" by stagingarea detail.region detail.type detail.severity detail.description detail.accountId detail.id | eval times=mvindex(times, 0, 2) | sort - "event time" detail.severity | table "event time","detail.accountId","detail.region","detail.severity","history","detail.type","detail.description" | rename "event time" as "Event Time","detail.accountId" as "AWS Account ID","detail.region" as "AWS Region","detail.type" as "Finding Type","detail.severity" as "Severity","history" as "Event History","detail.description" as "Description"
Hi, I am calculating the difference between two search results  as below. And, sometime the panel takes bit time to return the results, thus the variance is showing false count. Please could you ... See more...
Hi, I am calculating the difference between two search results  as below. And, sometime the panel takes bit time to return the results, thus the variance is showing false count. Please could you suggest ? how to fix Thanks in advance. SPL: | makeresults | eval variance=$MA:result.macoscount$ - $COSMOS:result.cosmacount$ | table variance Issue: middle panel (with blue color) result is "MA to COSMOS value "- COSMOS to P.H.B"  
My environment just moved to JSM for monitoring and solving alerts, and we since have lost a functionality where we could link back to the Splunk Search the alert originated from, when an alert is tr... See more...
My environment just moved to JSM for monitoring and solving alerts, and we since have lost a functionality where we could link back to the Splunk Search the alert originated from, when an alert is triggered and sent to the alert center. I wonder if there is a way to do this with this add-on?
That is puzzling. If I understand correctly, you're talking about the host_regex setting of the monitor input, right? The docs don't say that there is any kind of escaping required. If it is however... See more...
That is puzzling. If I understand correctly, you're talking about the host_regex setting of the monitor input, right? The docs don't say that there is any kind of escaping required. If it is however, it would be great if you posted a docs feedback (there is a form at the bottom of https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf ) describing your situation and how it differs from the described state.
Rather than setting the value to true, set it to the line you want in your search <input type="checkbox" token="LastOne_tkn"> <label>Dedup</label> <choice value="| dedup Attr1">Dedup... See more...
Rather than setting the value to true, set it to the line you want in your search <input type="checkbox" token="LastOne_tkn"> <label>Dedup</label> <choice value="| dedup Attr1">Dedup</choice> <default></default> <initialValue></initialValue> </input> Then use the token in your search index=machinedata $LastOne_tkn$ | table Attr1, Attr2  
I cannot understand why you say you are not getting a "table".  Using the lookup sample you gave and the two code samples @bowesmana gave, these are results from my instance 1. Transpose alone ... See more...
I cannot understand why you say you are not getting a "table".  Using the lookup sample you gave and the two code samples @bowesmana gave, these are results from my instance 1. Transpose alone 2. Transpose + foreach Both are just like table.  Are they not?