All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Yes! Exactly what I need, thank you. Now the only issue I'm having is that I'm no longer available to sort the bar chart in descending order. Earlier I used to do | sort -count, but that doesn't s... See more...
Yes! Exactly what I need, thank you. Now the only issue I'm having is that I'm no longer available to sort the bar chart in descending order. Earlier I used to do | sort -count, but that doesn't seem to work using static
Hi Your input seems to be almost valid JSON, but not exactly. It misses "," between events. So you could use this  [<Your sourcetype here>] CHARSET=UTF-8 LINE_BREAKER=([\n\r]+)\{[\n\r]*"Timestamp"... See more...
Hi Your input seems to be almost valid JSON, but not exactly. It misses "," between events. So you could use this  [<Your sourcetype here>] CHARSET=UTF-8 LINE_BREAKER=([\n\r]+)\{[\n\r]*"Timestamp" MAX_TIMESTAMP_LOOKAHEAD=32 NO_BINARY_CHECK=true SHOULD_LINEMERGE=false category=Custom description=test disabled=false pulldown_type=true TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3Q%:z TIME_PREFIX="Timestamp":\s+" r. Ismo 
Do you mean something like this | eval static="Category" | chart count by static category
I think the at least one presenter is quite active on slack. So you could try to ask help from him.
It's not mater if timezones are ok. Those certification calculations has done as UTC time (time_t) anyhow. The key point is that clocks shows correct time e.g. no bigger drift than couple of minutes.... See more...
It's not mater if timezones are ok. Those certification calculations has done as UTC time (time_t) anyhow. The key point is that clocks shows correct time e.g. no bigger drift than couple of minutes. Usually if it's more than 5 min then it's didn't work anymore. Has this works earlier or is this a new installation?
Dears,   I'm trying to filter out XML formatted events and below is sample event and REGEX which we used: Sample Events: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><... See more...
Dears,   I'm trying to filter out XML formatted events and below is sample event and REGEX which we used: Sample Events: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>1</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2024-03-18T07:29:59.988001100Z'/><EventRecordID>11295805761</EventRecordID><Correlation/><Execution ProcessID='796' ThreadID='25576'/><Channel>Security</Channel><Computer>DC01.XXXX.COM</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>UCXXX\XXXDSOD02$</Data><Data Name='TargetUserName'>XXXDSOD02$</Data><Data Name='TargetDomainName'>UCXXX</Data><Data Name='TargetLogonId'>0x13443956d5</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{5517AA4A-D860-6053-03FD-1FE752FC995B}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>172.X.X.73</Data><Data Name='IpPort'>53681</Data><Data Name='ImpersonationLevel'>%%1833</Data></EventData></Event>   Regex Implemented in inputs.conf file: blacklist10 = EventCode="4624" Message="SubjectUserSid:\s+(NULL SID)" blacklist11 = $xmlRegex="\<EventID\>4624.*\'SubjectUserSid\'\>NULL\sSID\<.+SubjectUserName\'\>\-\<.+SubjectDomainName\'\>\-\<.+SubjectLogonId\'\>0x0\<" blacklist12 = EventCode="4624" WorkstationName="-" Props.conf: TRANSFORMS-null=setnull Transforms.conf: [setnull] SOURCE_KEY = _raw REGEX = (\<EventID\>4624.+\'SubjectUserSid\'\>NULL\sSID\<.+SubjectUserName\'\>\-\<.+SubjectDomainName\'\>\-\<.+SubjectLogonId\'\>0x0\<) DEST_KEY = queue FORMAT = nullQueue Please suggest if you have solution for this. Thanks, Suraj    
Hi, Im a novice to Splunk and i have a question regarding visualization. I have my query like this:     |...myBaseQuery | chart c as "Count" by category     This results in me only having on... See more...
Hi, Im a novice to Splunk and i have a question regarding visualization. I have my query like this:     |...myBaseQuery | chart c as "Count" by category     This results in me only having one legend in my visualization, "Count". I was wondering if there's any way to get the all the values as a legend on the right (see image) ? I realized this is possible when i also use the retailUnit in the chart command:     |...myBaseQuery | chart c as "Count" by retailUnit category     Then I get one label for each category (see image), but i want to achieve this without sorting on retailUnit. Is this possible?
Hi @isoutamo, it seems to be the solution to my requirement, but the results arestrange: in my environment I don't see the object creation events, the edited and deleted activities are only n data... See more...
Hi @isoutamo, it seems to be the solution to my requirement, but the results arestrange: in my environment I don't see the object creation events, the edited and deleted activities are only n data and not on objectes as Correlation Searches and they never are on the custom app I'm using for the ES customizations. If I filter for my App, I see as ativity only "Correlation search" that seems to by the running of the Correlation Search, not the modification. I have to make some additional test! Too bad that the _configtracker indication does not also contain user tracking otherwise it would be the perfect solution for my requirement. Thank you for your help, if you have some additional hint, please let me know. Ciao. Giuseppe
Good morning,   I am suspicious of the certificates because it is doing ssl inspection and I am suspicious of the time because the scp has european time and the server has american time. Anything I... See more...
Good morning,   I am suspicious of the certificates because it is doing ssl inspection and I am suspicious of the time because the scp has european time and the server has american time. Anything I could check?   Thank you
Hi, Can someone assist me with breaking the following log data into separate events in the props.conf? Each event should start with: { "Timestamp": "xxxxxxxxxxxx" And ends with: } See belo... See more...
Hi, Can someone assist me with breaking the following log data into separate events in the props.conf? Each event should start with: { "Timestamp": "xxxxxxxxxxxx" And ends with: } See below log detail which should be split into two events. { "Timestamp": "2024-03-18T07:25:32.208+00:00", "Level": "ERR", "Message": "Validation failed: \n -- ProductId: 'Product Id' must be greater than '0'. Severity: Error", "Properties": { "RequestId": "0HJYGFTHJK:00000003", "RequestPath": "/apps/-7/details", "CorrelationId": "87hjg76-gh678-77h7-ll98-pu7nsb67w567w", "ConnectionId": "KJUY686GT", "MachineName": "kic-aiy-tst-heaps-tst-6h6hfjk-980jk", "SolutionName": "Kic AIY - Test", "Environment": "test", "LoggerName": "Kic AIY - Test", "ApplicationName": "Kic AIY - Test", "ThreadId": "1", "ProcessId": "1", "ProcessUserId": "root", "SiteName": "Kic AIY - Test" }, "Exception": { "ExceptionSource": "Api.Utilities", "ExceptionType": "FluentValidation.ValidationException", "ExceptionMessage": "Validation failed: \n -- ProductId: 'Product Id' must be greater than '0'. Severity: Error", "StackTrace": " at Api.Utilities.Behaviours.ValidationBehavior`2.Handle(TRequest request, RequestHandlerDelegate`1 next, CancellationToken cancellationToken)," "FileName": null, "MethodName": "Api.Utilities.Behaviours.ValidationBehavior`2+<Handle>d__2", "Line": 0, "Data": null }, "RequestBody": null, "Additional": null } { "Timestamp": "2024-03-18T07:15:04.259+00:00", "Level": "ERR", "Message": "Validation failed: \n -- ProductId: 'Product Id' must be greater than '0'. Severity: Error", "Properties": { "RequestId": "0HJYGFTRJK:00000004", "RequestPath": "/apps/-7/details", "CorrelationId": "87hjg76-gh878-77h7-ll98-ku7nsb67w567w", "ConnectionId": "KJUY686GT", "MachineName": "kic-aiy-ts2t-heaps-tst2-6h6hfjk-980jk", "SolutionName": "Kic AIY - Test2", "Environment": "test", "LoggerName": "Kic AIY - Test2", "ApplicationName": "Kic AIY - Test2", "ThreadId": "1", "ProcessId": "1", "ProcessUserId": "root", "SiteName": "Kic AIY - Test" }, "Exception": { "ExceptionSource": "Api.Utilities", "ExceptionType": "FluentValidation.ValidationException", "ExceptionMessage": "Validation failed: \n -- ProductId: 'Product Id' must be greater than '0'. Severity: Error", "StackTrace": " at Api.Utilities.Behaviours.ValidationBehavior`2.Handle(TRequest request, RequestHandlerDelegate`1 next, CancellationToken cancellationToken)," "FileName": null, "MethodName": "Api.Utilities.Behaviours.ValidationBehavior`2+<Handle>d__2", "Line": 0, "Data": null }, "RequestBody": null, "Additional": null }
I am not clear what exactly you would like help with. Please expand on your issue, provide some anonymised representative sample events, give an idea of what your expected results are, an indication ... See more...
I am not clear what exactly you would like help with. Please expand on your issue, provide some anonymised representative sample events, give an idea of what your expected results are, an indication of what you are currently getting and why it is not what you were expecting.
You can do this by extending the cells to be a multivalue field with the colour in the second cell and then hide the second cell with css - this assumes Classic dashboard Solved: Re: How to color ce... See more...
You can do this by extending the cells to be a multivalue field with the colour in the second cell and then hide the second cell with css - this assumes Classic dashboard Solved: Re: How to color cells based on there values and b... - Splunk Community
Hi @tscroggins  I've raised it in report and will update when I get a reply
Hi! I  have a dashboard with 10 columns, If value of column 1 and column 2 is different I have to make it as red color, Similarly I have to do it for column 3-4, 5-6, 7-8, 9-10. I am u... See more...
Hi! I  have a dashboard with 10 columns, If value of column 1 and column 2 is different I have to make it as red color, Similarly I have to do it for column 3-4, 5-6, 7-8, 9-10. I am using below code but it marking whole column red.(I only need red color for values which is different.) <format type="color" field="Storenumber" > <colorPalette type="expression"> if (Storeid!=Storenumber,"#53A051","#DC4E41")</colorPalette>  
I have tried both the preview and upgrading without doing the preview. It is after running the start command that it errors. In preview mode I get the same error it just takes a lot longer to get to... See more...
I have tried both the preview and upgrading without doing the preview. It is after running the start command that it errors. In preview mode I get the same error it just takes a lot longer to get to the error. - rpm -U splunk_package_name.rpm - $SPLUNK_HOME/bin/splunk start
When I installed and started Universal Forwarder 9.1.0.1, the following ERROR occurred: ERROR Metrics - Metric with name='thruput:thruput' already registered ERROR Metrics - Metric with name='thrup... See more...
When I installed and started Universal Forwarder 9.1.0.1, the following ERROR occurred: ERROR Metrics - Metric with name='thruput:thruput' already registered ERROR Metrics - Metric with name='thruput:idxSummary' already registered Is this issue still persisting even with version 9.1.0.1?
Hi Marnall - Enabled indexers on all. The configuration was set on /opt/opt/splunk/etc/system/local/server.conf
Hye ! I am trying to analyze Windoes firewall logs in splunk Enterprsie locally hosted . Follwings have ben done already: Logs are being ingested successfully to server Can view logs with details... See more...
Hye ! I am trying to analyze Windoes firewall logs in splunk Enterprsie locally hosted . Follwings have ben done already: Logs are being ingested successfully to server Can view logs with details App TA-winfw already installed  However its missing any IP realetd info like src ip , dst ip and protocol. However I can see these fileds in local file stored at "C:\Windows\System32\LogFiles\Firewall\pfirewall.log" But dont see any such values into splunk ingested log data . Need help and guidance if I am missing anything ? Regards    
| tstats allow_old_summaries=true summariesonly=t values(Web.dest_ip) as dest_ip, values(Web.http_referrer) as http_referrer, values(Web.http_user_agent) as http_user_agent, values(Web.url) as url, v... See more...
| tstats allow_old_summaries=true summariesonly=t values(Web.dest_ip) as dest_ip, values(Web.http_referrer) as http_referrer, values(Web.http_user_agent) as http_user_agent, values(Web.url) as url, values(Web.user) as src_user from datamodel=Web where (Web.src=* OR Web.url=*) by _time Web.src, Web.url | `drop_dm_object_name("Web")` | rename Web.src as src_host | regex url= "^((?i)https?:\/\/)?\w{2,4}\.\w{2,6}:8080\/[a-zA-Z0-9]+\/.*?(?:-|\=|\?)" | append [search index=audit_digitalguardian sourcetype=digitalguardian:process Application_Full_Name=msiexec.exe Command_Line="*:8080*" src_host="raspberryrobin.local" | stats values(index) as index, values(sourcetype) as sourcetype, values(Command_Line) as cmdline, values(_raw) as payload by _time, src_host, url]
Selected fields in splunk UI are not getting saved, each time again we need to select the fields once logging again to splunk UI.