All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Thank You, this worked, the only thing I wish I could see is just the matched lines and get rid of the blank rows.
Hi, it seems that there is no dashboard included with the add_on, wy second question :  the search (SPL command) to have a table with SNR values vs AP vs users ?   Thx      
Hello @ITWhisperer,    First of all, I'd like to thank you for taking the time to think about my concerns. As you said, If the  combinations of correlationIDs and direction are reused it may not g... See more...
Hello @ITWhisperer,    First of all, I'd like to thank you for taking the time to think about my concerns. As you said, If the  combinations of correlationIDs and direction are reused it may not give the results I expect. The correlationID and direction are completely random. The correlationID is an ID that SWO2-APIM associates with the request to identify it. The direction means that SWO2-APIM receives or sends the request. In the real log, the first log line is at the bottom and the last log line is at the top. This is the real logs look like : [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "0[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "<Message or something>[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "8e[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Connection: close[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Transfer-Encoding: chunked[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Date: Tue, 26 Mar 2024 13:02:16 GMT[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Content-Type: application/xml; charset=UTF-8[\r][\n]" [2024-03-26 13:02:16,357] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "HTTP/1.1 200 OK[\r][\n]" [2024-03-26 13:02:16,353] DEBUG - wire HTTPS-Listener I/O dispatcher-4 >> "[\r][\n]" [2024-03-26 13:02:16,353] DEBUG - wire HTTPS-Listener I/O dispatcher-4 >> "Accept-Encoding: gzip, compressed[\r][\n]" [2024-03-26 13:02:16,353] DEBUG - wire HTTPS-Listener I/O dispatcher-4 >> "User-Agent: HealthChecker/2.0[\r][\n]" [2024-03-26 13:02:16,353] DEBUG - wire HTTPS-Listener I/O dispatcher-4 >> "Connection: close[\r][\n]" [2024-03-26 13:02:16,353] DEBUG - wire HTTPS-Listener I/O dispatcher-4 >> "Host: 10.229.55.71:8243[\r][\n]" [2024-03-26 13:02:16,353] DEBUG - wire HTTPS-Listener I/O dispatcher-4 >> "GET /services/Version HTTP/1.1[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "0[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "<Message or something>[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "8e[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "Connection: close[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "Transfer-Encoding: chunked[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "Date: Tue, 26 Mar 2024 13:02:11 GMT[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "Content-Type: application/xml; charset=UTF-8[\r][\n]" [2024-03-26 13:02:11,042] DEBUG - wire HTTPS-Listener I/O dispatcher-3 << "HTTP/1.1 200 OK[\r][\n]" [2024-03-26 13:02:07,131] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "[\r][\n]" [2024-03-26 13:02:07,131] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "0[\r][\n]" [2024-03-26 13:02:07,131] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "<Message or something>[\r][\n]" [2024-03-26 13:02:07,131] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "8e[\r][\n]" [2024-03-26 13:02:07,131] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "[\r][\n]" [2024-03-26 13:02:07,131] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Connection: close[\r][\n]" [2024-03-26 13:02:07,131] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Transfer-Encoding: chunked[\r][\n]" [2024-03-26 13:02:07,129] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Date: Tue, 26 Mar 2024 13:02:07 GMT[\r][\n]" [2024-03-26 13:02:07,129] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "Content-Type: application/xml; charset=UTF-8[\r][\n]" [2024-03-26 13:02:07,129] DEBUG - wire HTTPS-Listener I/O dispatcher-4 << "HTTP/1.1 200 OK[\r][\n]"   If you look closely at the requests, they are received from bottom to top. And so, I would like to have this kind of outing : Date, loglevel, action_https, correlationID, message, duration [2024-03-26 13:02:16,357], DEBUG, HTTPS-Listener, dispatcher-4, "HTTP/1.1 200 OK[\r][\n]" "Content-Type: application/xml; charset=UTF-8[\r][\n]" "Date: Tue, 26 Mar 2024 13:02:16 GMT[\r][\n]" "Transfer-Encoding: chunked[\r][\n]" "Connection: close[\r][\n]" "[\r][\n]" "8e[\r][\n]" "<Message or something>[\r][\n]" "0[\r][\n]" "[\r][\n]", 000 [2024-03-26 13:02:16,353], DEBUG, HTTPS-Listener, dispatcher-4, "GET /services/Version HTTP/1.1[\r][\n]" "Host: 10.229.55.71:8243[\r][\n]" "Connection: close[\r][\n]" "User-Agent: ELB-HealthChecker/2.0[\r][\n]" "Accept-Encoding: gzip, compressed[\r][\n]" "[\r][\n]", 000 [2024-03-26 13:02:11,042], DEBUG, HTTPS-Listener, dispatcher-3, "HTTP/1.1 200 OK[\r][\n]" "Content-Type: application/xml; charset=UTF-8[\r][\n]" "Date: Tue, 26 Mar 2024 13:02:11 GMT[\r][\n]" "Transfer-Encoding: chunked[\r][\n]" "Connection: close[\r][\n]" "[\r][\n]" "8e[\r][\n]" "<Message or something>[\r][\n]" "0[\r][\n]" "[\r][\n]", 000 [2024-03-26 13:02:07,129], DEBUG, HTTPS-Listener, dispatcher-4, "HTTP/1.1 200 OK[\r][\n]" "Content-Type: application/xml; charset=UTF-8[\r][\n]" "Date: Tue, 26 Mar 2024 13:02:07 GMT[\r][\n]" "Transfer-Encoding: chunked[\r][\n]" "Connection: close[\r][\n]" "[\r][\n]" "8e[\r][\n]" "<Message or something>[\r][\n]" "0[\r][\n]" "[\r][\n]", 003
I have three tables. Each has one or more ID fields (out of ID_A, ID_B, ID_C) and assigns values Xn, Yn, Zn to these IDs. In effect, the tables each contain a fragment of information from a set of ob... See more...
I have three tables. Each has one or more ID fields (out of ID_A, ID_B, ID_C) and assigns values Xn, Yn, Zn to these IDs. In effect, the tables each contain a fragment of information from a set of objects 1...5. Table X: ID_A ID_B X1 X2 A1 B1 X1_1 X2_1 A2 B2 X1_2a X2_2 A2 B2 X1_2b X2_2 A3 B3 X1_3 X2_3 Table Y: ID_A ID_B Y1 Y2 A2 B2 Y1_2   A2 B2   Y2_2 A3 B3   Y2_3a A3 B3   Y2_3b A4 B4 Y1_4 Y2_4   Table Z: ID_B ID_C Z1 B1 C1 Z1_1 B3 C3 Z1_3 B5 C5 Z1_5 How can I create the superset of all three tables, i.e. reconstruct the "full picture" about obects 1..5 as good as possible? I tried with union and join in various ways, but I keep tripping over the following obstacles: The 1:n relation between ID and values (which should remain expanded as individual rows) Empty fields in between (bad for stats list(...) or stats values(...) because of different-sized MV results) There is no single table that has references to all objects (e.g. object 5 only present in table Z).   Desired result: ID_A ID_B ID_C X1 X2 Y1 Y2 Z1 A1 B1 C1 X1_1 X2_1     Z1_1 A2 B2   X1_2a X2_2 Y1_2 Y2_2   A2 B2   X1_2b X2_2 Y1_2 Y2_2   A3 B3   X1_3 X2_3   Y2_3a Z1_3 A3 B3   X1_3 X2_3   Y2_3b Z1_3 A4 B4       Y1_4 Y2_4     B5 C5         Z1_5 Sample data:   | makeresults | eval _raw="ID_A;ID_B;X1;X2 A1;B1;X1_1;X2_1 A2;B2;X1_2A;X2_2 A2;B2;X1_2B;X2_2 A3;B3;X1_3;X2_3 " | multikv forceheader=1 | table ID_A, ID_B, X1, X2 | append [ | makeresults | eval _raw="ID_A;ID_B;Y1;Y2 A2;B2;Y1_2; A2;B2;;Y2_2 A3;B3;Y1_3;Y2_3A A3;B3;Y1_3;Y2_3B A4;B4;Y1_4;Y2_4 " | multikv forceheader=1 | table ID_A, ID_B, Y1, Y2 ] | append [ | makeresults | eval _raw="ID_B;ID_C;Z1 B1;C1;Z1_1 B3;C3;Z1_3 B5;C5;Z1_5 " | multikv forceheader=1 | table ID_B, ID_C, Z1 ] | table ID_A, ID_B, ID_C, X1, X2, Y1, Y2, Z1    
As  I mentioned - problem was that we have an application on UF's and indexers for SSL log encryption. The problem was that  someone put in config file wrong password for .*pem file and because of th... See more...
As  I mentioned - problem was that we have an application on UF's and indexers for SSL log encryption. The problem was that  someone put in config file wrong password for .*pem file and because of that forwarders started to disappear from the console, as inactive. First thing what you should check - review both indexer and forwarder logs for any connection problems.   Best, Eugene
Hi . Trying with: Field transformations:       And adding them to sourcetype:     But does not work is there anything wrong?   Thank you all!!   BR
The "rest" in my answer is an SPL command.  The same REST endpoint can be accessed via port 8089 after the port is enabled. ACS will not get you all of the KOs owned by a user.
last one worked!
@ppal Have you added these both processors under service --> pipelines --> <your log-pipeline> --> processors as well? 
Hi @richgalloway  Got it. what is the "rest" that is mentioned in your answer ? is it  https://<deployment-name>.splunkcloud.com:8089 ? if yes, then we have not opened port 8089 for our Splunkclou... See more...
Hi @richgalloway  Got it. what is the "rest" that is mentioned in your answer ? is it  https://<deployment-name>.splunkcloud.com:8089 ? if yes, then we have not opened port 8089 for our Splunkcloud instance, is it necessary to open this port to be able to use these API's ? I have access to SplunkCloud ACS and am able to get the users list using it https://admin.splunk.com/{stack}/adminconfig/v2/   P.S. I am new to API's and Splunk so apologies incase these are basic Splunk knowledge. Also, thanks for the quick reply  
Hi Gene, I am facing the similar issue. Do you mind sharing what you exactly did to resolve this? Thank you! 
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
Splunk Fundamentals 1 was splitted into separate courses. You will find them here: Course Catalog | Splunk
This works well @ITWhisperer 
Try adding a table command to your base search <search id="base_srch"> <query>index=prod sourcetype=auth_logs | table ip</query>
Hi, I want to go through the splunk fundamentals 1 where I can get this link?  
First of all, thank you for a good(-ish) description of your issue. Try something like this: | rex "(?<Date>\[[^\]]+\])\s(?<loglevel>\w+)\s-\swire\s(?<action_https>\S+)\sI\/O\s(?<correlationID>\S+)... See more...
First of all, thank you for a good(-ish) description of your issue. Try something like this: | rex "(?<Date>\[[^\]]+\])\s(?<loglevel>\w+)\s-\swire\s(?<action_https>\S+)\sI\/O\s(?<correlationID>\S+)\s(?<direction>\S+)\s(?<message>.*)" | eval grouping=correlationID.direction | stats first(Date) as start last(Date) as end list(message) as message by grouping action_https correlationID loglevel | eval Date=start | eval duration=round(1000*(strptime(end,"[%F %T,%3N]")-strptime(start,"[%F %T,%3N]")),0) | sort 0 Date | table Date, loglevel, action_https, correlationID, message, duration Note that your example shows unique combinations of correlationIDs and direction. If these are reused in your actual log, you may not get the results you expect. If so, please share a more representative version of your logs.
Hello All,   I have created a dashboard and it is always showing no results found. But when i click on open in search or directly running the search query it is showing the results. can anyone he... See more...
Hello All,   I have created a dashboard and it is always showing no results found. But when i click on open in search or directly running the search query it is showing the results. can anyone help please. <form version="1.1" theme="light"> <label>Successful connections by an IP range dashboard</label> <search id="base_srch"> <query>index=prod sourcetype=auth_logs</query> <earliest>$time.earliest$</earliest> <latest>$time.latest$</latest> </search> <fieldset submitButton="false"> <input type="time" token="time" searchWhenChanged="true"> <label>test</label> <default> <earliest>-4h@m</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <chart> <search base="base_srch"> <query>|stats count by ip</query> </search> <option name="charting.chart">pie</option> <option name="charting.drilldown">none</option> </chart> </panel> </row> </form>
Statement: You install  1Password Events Reporting for Splunk from   https://splunkbase.splunk.com/app/5632  Problem: You get error messages after correctly configuring it in the _internal index l... See more...
Statement: You install  1Password Events Reporting for Splunk from   https://splunkbase.splunk.com/app/5632  Problem: You get error messages after correctly configuring it in the _internal index like:        03-26-2024 11:37:30.974 +0000 ERROR ExecProcessor [12044 ExecProcessor] - message from "/opt/splunk/etc/apps/onepassword_events_api/bin/audit_events" 2024/03/26 11:37:30 [DEBUG] POST https://events.1password.com/api/v1/auditevents 03-26-2024 11:37:27.672 +0000 ERROR ExecProcessor [12044 ExecProcessor] - message from "/opt/splunk/etc/apps/onepassword_events_api/bin/signin_attempts" 2024/03/26 11:37:27 [DEBUG] POST https://events.1password.com/api/v1/signinattempts 03-26-2024 11:37:23.259 +0000 ERROR ExecProcessor [12044 ExecProcessor] - message from "/opt/splunk/etc/apps/onepassword_events_api/bin/item_usages" 2024/03/26 11:37:23 [DEBUG] POST https://events.1password.com/api/v1/itemusages 03-26-2024 11:37:20.561 +0000 ERROR ExecProcessor [12044 ExecProcessor] - message from "/opt/splunk/etc/apps/onepassword_events_api/bin/audit_events" 2024/03/26 11:37:20 [DEBUG] POST https://events.1password.com/api/v1/auditevents 03-26-2024 11:37:17.440 +0000 ERROR ExecProcessor [12044 ExecProcessor] - message from "/opt/splunk/etc/apps/onepassword_events_api/bin/signin_attempts" 2024/03/26 11:37:17 [DEBUG] POST https://events.1password.com/api/v1/signinattempts       How do you resolve this? The app was configured with a token, macros had indexes defined, interval for the scripted input set to a cron schedule.  Splunk 9.0.3 core standalone dev env. 
Bonus question - are your timestamps parsed at all from the events. The event shows just hours/minutes/seconds whereas the _time field in Spkunk shows thousands of a second.