All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Double wild-carded strings are not very efficient. Could you perhaps extract the "proc" values into a field and then use a where command to exclude to events with the undesired values?
I don't know the decrypt command so this might be completely irrelevant, but, is the output (emitted) field a multi value field and if so do you need to use mvexpand to separate out the strings that ... See more...
I don't know the decrypt command so this might be completely irrelevant, but, is the output (emitted) field a multi value field and if so do you need to use mvexpand to separate out the strings that you want to filter on? Another possibility is perhaps the regex command | regex process_decoded!="SELECT"
Try something like this index=compare sourcetype="accountA" OR sourcetype="accountB" | rename nameB as nameA, addressB as addressA, cellB as cellA | eventstats count by accid nameA addressA cellA | ... See more...
Try something like this index=compare sourcetype="accountA" OR sourcetype="accountB" | rename nameB as nameA, addressB as addressA, cellB as cellA | eventstats count by accid nameA addressA cellA | where count==1
Probably - the token you could try to use in the drilldown is $trellis.value$
Hello, How do I compare 2 source types within the same index and find the Gap. For Example: index=compare sourcetype=accountA and sourcetype=accountB; we have some account info in accountA but not i... See more...
Hello, How do I compare 2 source types within the same index and find the Gap. For Example: index=compare sourcetype=accountA and sourcetype=accountB; we have some account info in accountA but not in accountB and objective is to find that gap.   sourcetypeA accid   nameA  addressA cellA 002         test1   tadd1    1234 003         test2    tadd2    1256 003      test2         tadd2    5674 004         test3     tadd3   2345 005         test4      tadd4  4567 006        test5      tadd5   7800 006    test5           tadd5   9900   sourcetypeB accid   nameB  addressB cellB 002       test1        tadd1    1234 003      test2         tadd2    5674 004     test3          tadd3   2345 005     test4           tadd3  4567 006    test5           tadd5   9900   Output will be: 003         test2    tadd2    1256 006        test5      tadd5   7800   Any Recommendation will be highly appreciated.  
Hi, I have setup the Object and event input configuration in the salesforce TA, I am able to see the object logs but unable to see the event logs in splunk cloud.   Any directions of triaging the ... See more...
Hi, I have setup the Object and event input configuration in the salesforce TA, I am able to see the object logs but unable to see the event logs in splunk cloud.   Any directions of triaging the issue? Appropriate permissions are provided for the salesforce user.
You might be wanting to configure Splunk to start at boot time. /opt/splunk/bin/splunk enable boot-start ref: https://docs.splunk.com/Documentation/Splunk/latest/Admin/ConfigureSplunktostartatboott... See more...
You might be wanting to configure Splunk to start at boot time. /opt/splunk/bin/splunk enable boot-start ref: https://docs.splunk.com/Documentation/Splunk/latest/Admin/ConfigureSplunktostartatboottime
Thanks.  I hadn't thought of that.  Since I posted the question, NetSkope came back with a solution.  I was sent this   conf_file_stanzas = conf_file_object.get_all()   replace the above line with ... See more...
Thanks.  I hadn't thought of that.  Since I posted the question, NetSkope came back with a solution.  I was sent this   conf_file_stanzas = conf_file_object.get_all()   replace the above line with following:   conf_file_stanzas = conf_file_object.get_all(only_current_app=True)  With that the issue was resolved.  The code was trying to get information from another TA.
Assuming you are on a linux machine, you could try piping the session_key value to that first command. echo "sessionkeyhere" | splunk cmd python -m pdb netskope_email_notification.py (Note that if ... See more...
Assuming you are on a linux machine, you could try piping the session_key value to that first command. echo "sessionkeyhere" | splunk cmd python -m pdb netskope_email_notification.py (Note that if you enter the key in explicitly, it may be saved in your command history which may be undesired. You can also read the key from a source using the "cat" command) I couldn't tell you about the session_key... perhaps the Netskope docs could tell you where to get one. It could be a session with an email provider if this python script is intended to send email.
I don't fully understand what you mean... would it be possible to include screenshots demonstrating the timechart you would like (using the All-time search) versus what you get? Also a full query (wi... See more...
I don't fully understand what you mean... would it be possible to include screenshots demonstrating the timechart you would like (using the All-time search) versus what you get? Also a full query (without private information) would be very helpful. E.g. something like this?  
Indeed, "latest" should be on 9.2.1, but it seems to be on 9.0.9 . Perhaps we can ping the resolver of that post @amayor_splunk and humbly ask for assistance.
At search time, you could use spath to navigate past the "event:" part of the log: <yoursearch> | spath path=event output=_raw However you may want a solution that does not require spath on every s... See more...
At search time, you could use spath to navigate past the "event:" part of the log: <yoursearch> | spath path=event output=_raw However you may want a solution that does not require spath on every search. You can configure your indexing tier to remove the "event:" part of the log, so that it directly shows you the useful fields without needing to be expanded. On the indexing tier, make a props.conf file in an app e.g. /opt/splunk/etc/apps/yourappname/local/props.conf Make this stanza: [cisco:amp:event] SEDCMD-RemoveEventKey = s/{"event":\s*// SEDCMD-RemoveLastBracket = s/}$//  (and more stanzas for other sourcetypes you would like this change to apply to) 
I have been working on decoding a base64 encoded command using the decrypt2 app. I have successfully decoded the string but facing difficulty excluding or searching and also running stats of decoded ... See more...
I have been working on decoding a base64 encoded command using the decrypt2 app. I have successfully decoded the string but facing difficulty excluding or searching and also running stats of decoded field which gives a "p" thing as a result. Examples of | Search NOT:   Example of Stats resulted "p": | rex field="process" ".*-(e|E)(n|N)[codemanCODEMAN]{0,12}\ (?<process_enc>[A-Za-z\d+/=]*)?" | decrypt field=process_enc b64 emit('process_decoded') | stats count by process_decoded Could someone please provide guidance on the correct syntax to exclude or search the decoded field using search not or using a lookup and help clarify the "P" thing from stats command? DECRYPT2 
We have installed and configured the MS Teams app Splunk>VictorOps version 1.1.0. It is successfully posting alerts to channels that are Public or Standard channels in a private team. However there i... See more...
We have installed and configured the MS Teams app Splunk>VictorOps version 1.1.0. It is successfully posting alerts to channels that are Public or Standard channels in a private team. However there is no option to select posting alerts to a shared channel. The channel just does not appear in the list. Is this a known limitation of the app? On the integration guide here https://help.victorops.com/knowledge-base/microsoft-teams-integration-guide/ it states that  "Note that installing into any channel in a team will make Splunk>VictorOps available for all channels in that team."   Has the app been set up to allow integration with Shared channels in MS Teams? References: https://learn.microsoft.com/en-us/microsoftteams/shared-channels https://learn.microsoft.com/en-us/microsoftteams/platform/concepts/build-and-test/shared-channels    
This worked for me! thanks.  You would assume splunk would hold your hand a bit more rather than making you find it but I'll take it.
It looks like you are doing everything correctly. Do you have any blocking elements in your environment like a proxy or firewall?  Also, do you find any internal logs that may contain more clues as... See more...
It looks like you are doing everything correctly. Do you have any blocking elements in your environment like a proxy or firewall?  Also, do you find any internal logs that may contain more clues as to why the authentication fails? e.g.  index=_internal authentication failed (and any events that occur around the events that explicitly say "authentication" or "failed")
Does this combined query produce the desired results? |mstats sum(transaction) as Total sum(success) as Success where index=metric-index transaction IN(transaction1, transaction2, transaction3) by s... See more...
Does this combined query produce the desired results? |mstats sum(transaction) as Total sum(success) as Success where index=metric-index transaction IN(transaction1, transaction2, transaction3) by service transaction |eval SuccessPerct=round(((Success/Total)*100),2) |xyseries service transaction Total Success SuccessPerct |table service "Success: transaction1" "SuccessPerct: transaction1" "SuccessPerct: transaction2" "Total: transaction2" "Success: transaction2" |join service [|mstats sum(error-count) as Error where index=metric-index by service errortype |append [|search index=app-index sourcetype=appl-logs (TERM(POST) OR TERM(GET) OR TERM(DELETE) OR TERM(PATCH)) OR errorNumber!=0 appls=et |lookup app-error.csv code as errorNumber output type as errortype |stats count as app.error count by appls errortype |rename appls as service error-count as Error] |xyseries service errortype Error |rename wvv as WVVErrors xxf as nonerrors] |addtotals "Success: transaction1" WVVErrors nonerrors fieldname="Total: transaction1" |eval sort_service=case(service="serv1",1,service="serv2",2,service="serv3",3,service="serv4",4,service="serv5",5,service="serv6",6,service="serv7",7,service="serv8",8,service="serv9",9,service="serv10",10) |sort + sort_service |table service "Success: transaction1" "SuccessPerct: transaction2" WVVErrors nonerrors |fillnull value=0 | append [|mstats sum(error-count) as Error where index=metric-index by service errorNumber errortype] | stats values(*) as * by service
Hi, Thank you for the prompt response. Trellis layout can be one of the options. However, for example, If I click on DB, then it should redirect to the separate visualization where we need to view t... See more...
Hi, Thank you for the prompt response. Trellis layout can be one of the options. However, for example, If I click on DB, then it should redirect to the separate visualization where we need to view the in-depth details only for DB and not for MEMBERDASHBOARD or TASKEDIT. Is it possible, please let me know.   
Was there ever a resolution to this error, I am seeing that the directory "unknown" is being created, not the actual microservice name.  Seems like a permissions issue, anyone thoughts?
I will preface by saying I am very new to using Splunk. We have recently did a rebuild of our environment and I noticed that one of our log sources does not return formatted logs the same way our oth... See more...
I will preface by saying I am very new to using Splunk. We have recently did a rebuild of our environment and I noticed that one of our log sources does not return formatted logs the same way our other log sources do. Whenever I try and do a query for AMP (Cisco Secure Endpoint) I have to click 'Show as raw text' to see any data which does not seem right to me.  I have been trying to extract fields using Rex as well and it just does not seem to be working and I'm not sure if it has something to do with how the logs are displaying when I do a query. Could someone point me in the right direction?