All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Facing same issue, Was this resolved?
You're very welcome for the help. I believe both the Splunk Base app and the log format you referred to are related to HAProxy's internal logs. However, what I'm looking for is a method to capture th... See more...
You're very welcome for the help. I believe both the Splunk Base app and the log format you referred to are related to HAProxy's internal logs. However, what I'm looking for is a method to capture the IP addresses of external clients connecting through HAProxy. In fact we have an HAProxy server that receives logs from various clients and forwards them to a Splunk Heavy Forwarder. Each client have its own log format. The problem is that HAProxy replaces the client's IP address with its own (in TCP). The question is: how can we have the client's IP address for each log in the Splunk Heavy Forwarder?
As you are using Dashboard Studio instead of classic there is no depends on those panels. You must look from here https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/DashStudio/showHide how it... See more...
As you are using Dashboard Studio instead of classic there is no depends on those panels. You must look from here https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/DashStudio/showHide how it will do with DS.
If you refer to the value of the host field assigned to an event when connection_host=ip (and only if it's not overwritten later by transforms), then no - you cannot do that directly within Splunk. ... See more...
If you refer to the value of the host field assigned to an event when connection_host=ip (and only if it's not overwritten later by transforms), then no - you cannot do that directly within Splunk. As HAProxy works as a "middle-man" - it is the originator of all your logging TCP connections. It receives events from the remote hosts and then sends all events to your HF within a connection initiated by itself. So obviously the origin of the event is lost. This is one of the reasons why you should _not_ receive syslogs directly on Splunk. Ideally, you should replace your haproxy with a syslog receiver which would track the source addresses and either write events to files to be picked up by a forwarder or forward them to HEC.
Hi @Benny87  What kind of architecture do you have? Do you have multiple indexers? Please could you do a btool to check the eventtypes on the SH and an Indexer: $SPLUNK_HOME/bin/splunk btool eventt... See more...
Hi @Benny87  What kind of architecture do you have? Do you have multiple indexers? Please could you do a btool to check the eventtypes on the SH and an Indexer: $SPLUNK_HOME/bin/splunk btool eventtypes list --debug wineventlog_security Im also wondering if something that matches another eventtype for your firewall data is also referencing wineventlog_security... if you do the same btool output as above without the final "wineventlog_security" do you see "wineventlog_security" within any other stanzas?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
Hi @Ashish0405  Just add another <format> under the existing one such as: <format type="color" field="Severity"> <colorPalette type="map">{"Critical":#D93F3C,"Informational":#31A3... See more...
Hi @Ashish0405  Just add another <format> under the existing one such as: <format type="color" field="Severity"> <colorPalette type="map">{"Critical":#D93F3C,"Informational":#31A35F}</colorPalette> </format>   Full example: <dashboard version="1.1"> <label>Demo</label> <row> <panel> <table> <search> <query>|makeresults | eval Status="failed", Severity="Critical" | append [makeresults | eval Status="finished", Severity="Informational"]</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <format type="color" field="Status"> <colorPalette type="map">{"failed":#D93F3C,"finished":#31A35F,"Critical":#D93F3C,"Informational":#31A35F}</colorPalette> </format> <format type="color" field="Severity"> <colorPalette type="map">{"Critical":#D93F3C,"Informational":#31A35F}</colorPalette> </format> </table> </panel> </row> </dashboard>  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing Edit - Sorry just seen the other replies which I hadnt noticed before, not meaning to step on others toes! 
Hi @hv64  Is this a dashboard that you have created yourself with a custom visualisation or a visualisation from another Splunkbase app, such as Process Flow Diagram App? If so please could you let... See more...
Hi @hv64  Is this a dashboard that you have created yourself with a custom visualisation or a visualisation from another Splunkbase app, such as Process Flow Diagram App? If so please could you let us know which version of any custom Viz app you are using along with Splunk Enterprise/Cloud version? Are you able to share the dashboard XML?   Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @Nrsch  Are you talking about the "host" field in Splunk? It is typical for this field to be the device which is sending the logs. Instead you would want to extract a field called something like ... See more...
Hi @Nrsch  Are you talking about the "host" field in Splunk? It is typical for this field to be the device which is sending the logs. Instead you would want to extract a field called something like "src_ip" or "client_ip" which would be the IP address of the client system making the web request. If you're able to share a few sample/redacted events then I'd be happy to help create the relevant extractions you need. There is also a Splunkbase app for HAProxy (https://splunkbase.splunk.com/app/3135) which is designed to take a syslog input however the field extractions could well be the same if you're sending to a file and then forwarding with a Splunk forwarder?  Alternatively you could look to set a custom HAProxy log format (since you wouldnt be using the off-the-shelf addon) and can then set key=value pairs for the log event components, e.g. client_ip=%ci for client IP. See https://www.haproxy.com/blog/haproxy-log-customization for more info on that.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @SN1  Try the following: require([ 'splunkjs/mvc', 'splunkjs/mvc/searchmanager', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!', 'jquery' ], function(mvc, SearchMa... See more...
Hi @SN1  Try the following: require([ 'splunkjs/mvc', 'splunkjs/mvc/searchmanager', 'splunkjs/mvc/tableview', 'splunkjs/mvc/simplexml/ready!', 'jquery' ], function(mvc, SearchManager, TableView, ignored, $) { // Define a simple cell renderer with a button var ActionButtonRenderer = TableView.BaseCellRenderer.extend({ canRender: function(cell) { return cell.field === 'rowKey'; }, render: function($td, cell) { $td.addClass('button-cell'); var rowKey = cell.value; var $btn = $('<button>').text('Unsolved'); $btn.on('click', function(e) { e.preventDefault(); e.stopPropagation(); var searchQuery = `| inputlookup sbc_warning.csv | eval rowKey=tostring(rowKey) | eval solved=if(rowKey="${rowKey}", "1", solved) | outputlookup sbc_warning.csv`; var writeSearch = new SearchManager({ id: "writeSearch_" + Math.floor(Math.random() * 100000), search: searchQuery, autostart: true }); writeSearch.on('search:done', function() { $btn.text('Solved'); var panelSearch = mvc.Components.get('panel_search_id'); if (panelSearch) { panelSearch.startSearch(); } }); }); $td.append($btn); } }); // Apply the renderer to the specified table var tableComponent = mvc.Components.get('sbc_warning_table'); if (tableComponent) { tableComponent.getVisualization(function(tableView) { tableView.table.addCellRenderer(new ActionButtonRenderer()); tableView.table.render(); }); } }); The button is created with $('<button>').text('Unsolved'). When clicked, after lookup update (search:done), the button label is changed using $btn.text('Solved'). This only changes text for that row's button; repeat clicks won't revert. Note: If you want the initial state ("Unsolved"/"Solved") to reflect actual data, you must pass the current "solved" value for each row and set the initial button text accordingly. Do you have a field for if its already Solved or not that you could use to set the initial button text?    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
@yuanliu  hi so I only want to suppress alert on the dates of the lookup table. The condition for the alert is to fire if the resulted does not equal to 1 If your pointing out my screen shot please... See more...
@yuanliu  hi so I only want to suppress alert on the dates of the lookup table. The condition for the alert is to fire if the resulted does not equal to 1 If your pointing out my screen shot please let me know which to adjust to the correct format so I can try implement it correctly.  
You almost had it.  Use the bin and stats commands to group events by day and get the latest status.  Then timechart will give the counts. basesearch | bin span=1d _time | stats latest(status) as st... See more...
You almost had it.  Use the bin and stats commands to group events by day and get the latest status.  Then timechart will give the counts. basesearch | bin span=1d _time | stats latest(status) as status by _time, test | timechart span=1d distinct_count(test) by status  
@Ashish0405    <dashboard version="1.1"> <label>Status &amp; Severity Coloring</label> <row> <panel> <title>Test Status and Severity</title> <table> <search> <query> <![CDATA[ | make... See more...
@Ashish0405    <dashboard version="1.1"> <label>Status &amp; Severity Coloring</label> <row> <panel> <title>Test Status and Severity</title> <table> <search> <query> <![CDATA[ | makeresults count=4 | streamstats count as id | eval Status=case(id==1, "failed", id==2, "finished", id==3, "finished", 1==1, "failed") | eval Severity=case(id==1, "Critical", id==2, "Informational", id==3, "Critical", 1==1, "Informational") ]]> </query> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <format type="color" field="Status"> <colorPalette type="map">{&quot;failed&quot;:&quot;#D93F3C&quot;,&quot;finished&quot;:&quot;#31A35F&quot;}</colorPalette> </format> <format type="color" field="Severity"> <colorPalette type="map">{&quot;Critical&quot;:&quot;#D93F3C&quot;,&quot;Informational&quot;:&quot;#31A35F&quot;}</colorPalette> </format> </table> </panel> </row> </dashboard>
for the search: Eventtype=wineventlog_security there´s no results. The errors are: [Indexer] Eventtype 'wineventlog_security' does not exist or is disabled [Indexer] Ignoring eventtype 'wineventlo... See more...
for the search: Eventtype=wineventlog_security there´s no results. The errors are: [Indexer] Eventtype 'wineventlog_security' does not exist or is disabled [Indexer] Ignoring eventtype 'wineventlog_security' for search expansion due to error="search string cannot be empty" remote search process failed on peer   As for additional information, the error just shows up for index searches where NO windows eventlog are involved. Just for our firewalls, switches and other devices. As long as I search for windows indexes ex. Index=wineventlog_security or index=wineventlog_system there´s no error.
Hi @Benny87 , what does it happen if you run eventtype=wineventlog_security from a search dashboard in your app? do you have the same message or a different one? did you recently changed the versi... See more...
Hi @Benny87 , what does it happen if you run eventtype=wineventlog_security from a search dashboard in your app? do you have the same message or a different one? did you recently changed the version of Splunk_TA_Windows? recently there was a change to the data structure of the TA: sourcetype is WinEventLog or xmlWinEventLog  and the difference between Security, Application and System is in the source field. Otherwise, you can open a case to Splunk Support, because this Add-On is Splunk supported. Ciao. Giuseppe
Hi @Nrsch , if you have different log formats, you should exactly identify each data source assigning to each one the correct sourcetype. Then, having the correct sourcetype, you can define an host... See more...
Hi @Nrsch , if you have different log formats, you should exactly identify each data source assigning to each one the correct sourcetype. Then, having the correct sourcetype, you can define an host recognition regex for each one. About IP address instead of hostname, it depends on the presence of this field in the log: if it's present, you can assign it to the host field using a regex, if not present, it isn't so easy. Ciao. Giuseppe
The windows -TA eventtypes are all Globylly shared and access is read for everyone. The problem is why now and not a few days ago. The error just stated to show up a few days ago without any change ... See more...
The windows -TA eventtypes are all Globylly shared and access is read for everyone. The problem is why now and not a few days ago. The error just stated to show up a few days ago without any change to any configuration. 
Hi @Benny87 , check if this eventtype is shared at App or Global level: it must be Global. you can do this at [settings > Eventtypes]. Ciao. Giuseppe
Hi, got some problem in my searches since a few days. I really don´t know what happend and no one changed the configuration.   In search or dashboards for Cisco Network I get for every search the... See more...
Hi, got some problem in my searches since a few days. I really don´t know what happend and no one changed the configuration.   In search or dashboards for Cisco Network I get for every search the error "Eventtype 'wineventlog_security' does not exist or is disabled"   search example:  Index=firewall  The question is why when I search an completly unrelated index to windows it shows the error from the eventtype from the Windows-TA ? and also it doesn´t show any results.
Thank you for your answer. Since the HAProxy collects logs from different clients, their log formats are different. So, do we need to parse the logs twice — once to extract the hostname, and again ... See more...
Thank you for your answer. Since the HAProxy collects logs from different clients, their log formats are different. So, do we need to parse the logs twice — once to extract the hostname, and again to extract other fields depending on the log type? Also, is it possible to extract the host IP address instead of the hostname? Thank you very much for your help.
Hello,  I would like to create timechart that counts number of tests with different statuses (e.g. statuses 'OK', 'ERROR', 'WARN' etc) for last 30 days (per each day). The problem is that it should ... See more...
Hello,  I would like to create timechart that counts number of tests with different statuses (e.g. statuses 'OK', 'ERROR', 'WARN' etc) for last 30 days (per each day). The problem is that it should take only latest log with status per test (e.g. I have Login test (id 151), it has couple events/logs with different statuses, and I would like to take for that test last log/event with latest status.  I have a problem to combine 'latest' and 'distinct_count' with timechart.  When I do following search, I get duplicates of logs for test (e.g. I should have every day count of 62 (tests) for all statuses):  basesearch | timechart span=1d distinct_count(test) as tests by status e.g. on day 2025-05-26 test 'Login test (id 151)' have one event with status 'OK' and another one with status 'Blad', and the duplicate is shown here. When I want to combine 'latest' to timechart I get distinct_count results only for last day: basesearch | stats latest(status) as statuses latest(test) as tests latest(_time) as myTime by test | eval _time=myTime | timechart span=1d distinct_count(tests) by statuses   I appreciate help how to combine timechart, distinct_count and latest all together.