All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: Data delay in events

by SplunkTrust in Getting Data In
‎03-11-2024 06:22 AM
‎03-11-2024 06:22 AM
Events are retrieved based on the value of _time, so depending on how your event is parsed, it may appear in the index retrospectively. For example, Apache httpd log entries are usually timestamped ... See more...
Events are retrieved based on the value of _time, so depending on how your event is parsed, it may appear in the index retrospectively. For example, Apache httpd log entries are usually timestamped with the time the request came in e.g. 05:26, but it is written to the log when the request is completed, for example, 05:28. This means that it was not in the log at 05:27, but did appear "later"

Re: How to use wildcard in case like condition?

by SplunkTrust in Splunk Search
‎03-11-2024 06:11 AM
1 Karma
‎03-11-2024 06:11 AM
1 Karma
The case function does not support wildcards natively, but you can use them in like (as you have) or you can use the equivalent regular expression using match.   | eval Status=case(like('message',"... See more...
The case function does not support wildcards natively, but you can use them in like (as you have) or you can use the equivalent regular expression using match.   | eval Status=case(like('message',"%Exchange Rates Process Completed. File sucessfully sent to Concur%"),"SUCCESS", match('message',"(TEST|DEV|PRD)\(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur"),"SUCCESS", like('TracePoint',"%EXCEPTION%"),"ERROR")    

Re: How to consolidate Thousand Eyes into Splunk to centralize alerts on the dashboard?

by SplunkTrust in Getting Data In
‎03-11-2024 06:06 AM
‎03-11-2024 06:06 AM
There are a few ways to onboard data into Splunk. Install a universal forwarder on the server to send log files to Splunk Have the server send syslog data to Splunk via a syslog server or Splunk C... See more...
There are a few ways to onboard data into Splunk. Install a universal forwarder on the server to send log files to Splunk Have the server send syslog data to Splunk via a syslog server or Splunk Connect for Syslog Use the server's API to extract data for indexing Use Splunk DB Connect to pull data from the server's SQL database. Have the application send data directly to Splunk using HTTP Event Collector (HEC). This answer may be useful: https://community.splunk.com/t5/Other-Usage/Splunk-integration-with-thousandeyes/m-p/361387 See also https://www.thousandeyes.com/blog/data-observability-backend-opentelemetry

Data delay in events

by in Getting Data In
‎03-11-2024 05:12 AM
‎03-11-2024 05:12 AM
Using props.conf i'm able to extract the fields but on the Splunk dashboard, the data is not visible for the timing 05:26 pm and data is visible for 05:27 pm, if i check after 2-3 minutes the entry a... See more...
Using props.conf i'm able to extract the fields but on the Splunk dashboard, the data is not visible for the timing 05:26 pm and data is visible for 05:27 pm, if i check after 2-3 minutes the entry at 05:26 pm will be visible. On the dashboard the default time is last 15 minutes.
Labels

Re: Separate the array value in the different event.

by in Splunk Search
‎03-11-2024 04:44 AM
‎03-11-2024 04:44 AM
  Hi @ITWhisperer  Here the raw format {"message_type": "INFO", "processing_stage": "XXXXX", "message": "XXXXXX", "correlation_id": "XXXXXX", "error": "", "invoker_agent": "XXXXXX", "invoked_compo... See more...
  Hi @ITWhisperer  Here the raw format {"message_type": "INFO", "processing_stage": "XXXXX", "message": "XXXXXX", "correlation_id": "XXXXXX", "error": "", "invoker_agent": "XXXXXX", "invoked_component": "XXXXXX, "request_payload": "", "response_details": "", "invocation_timestamp": "XXXXX", "response_timestamp": "XXXXX", "original_source_app": "XXXX", "AAAA": "", "retry_attempt": "1", "custom_attributes": {"entity-internal-id": ["12345678", "9876543", "2341234"], "root-entity-id": "3", "campaign-id": "XXXX", "campaign-name": "XXXXX", "marketing-area": "CCCC", "lead-id": ["000000", "1111111", "3333333"], "record_count": "", "country": ""}}

Re: The index processor has paused data flow- How to optimize?

by in Splunk Enterprise
‎03-11-2024 04:38 AM
‎03-11-2024 04:38 AM
Hi we see the same issue on Splunk 9.1.2. What was the reason for lowering this to 1 from the default of 6? maxConcurrentOptimizes=1  

Re: custom query

by in Splunk Search
‎03-11-2024 04:28 AM
‎03-11-2024 04:28 AM
Hi @gcusello , is there is a way where I can update the hours in csv file not in the query. can we do that ???

How to change background colour on click tab active in splunk dashboard?

by in Dashboards & Visualizations
‎03-11-2024 04:20 AM
‎03-11-2024 04:20 AM
Hi Guys, Thanks in Advance, How to changes background colour when i am click on the tab should be active.Now its showing active on click.But now i want to change the background colour as well on cl... See more...
Hi Guys, Thanks in Advance, How to changes background colour when i am click on the tab should be active.Now its showing active on click.But now i want to change the background colour as well on clicking on the tab. #input_link_split_by.input-link button{ width: 120px !important; border-top-color: rgb(255, 255, 255); border-top-style: solid; border-top-width: 1px; border-right-color: rgb(255, 255, 255); border-right-style: solid; border-right-width: 1px; border-left-color: rgb(255, 255, 255); border-left-style: solid; border-left-width: 1px; border-top-left-radius: 10px; border-top-right-radius: 10px; }

Re: How to Traverse Nested JSON Structures in Splunk for Process Event Analysis

by in Getting Data In
‎03-11-2024 04:02 AM
‎03-11-2024 04:02 AM
You are genius!,thank you!!!

Re: How to change the font size of y-values in a Splunk dashboard barchart

by SplunkTrust in Dashboards & Visualizations
‎03-11-2024 03:43 AM
1 Karma
‎03-11-2024 03:43 AM
1 Karma
Try this <html> <style> #rk g[transform] text { font-size:20px !important; font-weight: bold !important; } g.highcharts-axis-... See more...
Try this <html> <style> #rk g[transform] text { font-size:20px !important; font-weight: bold !important; } g.highcharts-axis-labels.highcharts-xaxis-labels text{ font-size:20px !important; } g.highcharts-axis-labels.highcharts-yaxis-labels text{ font-size:20px !important; } </style> </html>

How to use wildcard in case like condition?

by in Splunk Search
‎03-11-2024 03:42 AM
‎03-11-2024 03:42 AM
Hi Guys, Thanks in Advance. So i have case conditions to be match in my splunk query.below the message based on correlationID.I want to show JobType and status. In status i added case like to match t... See more...
Hi Guys, Thanks in Advance. So i have case conditions to be match in my splunk query.below the message based on correlationID.I want to show JobType and status. In status i added case like to match the conditions with message field.For the all three environment the message would be same but the environment name only differe.I added all the three in case. So how can we use wildcard in the case statement or any other different solutions to shorten the query. (message="DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("PRD(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") (message="onDemand Flow for concur Expense Report file with FileID Started") OR (message="Exchange Rates Scheduler process started") OR (message="Exchange Rates Process Completed. File successfully sent to Concur*") OR (message="DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur") OR ("PRD(SUCCESS): Exchange Rates Interface Run Report - Concur")|transaction correlationId| rename timestamp as Timestamp correlationId as CorrelationId tracePoint as TracePoint content.payload.TargetFileName as TargetFileName | eval JobType=case(like('message',"%onDemand Flow for concur Expense Report file with FileID Started%"), "OnDemand",like('message',"%Exchange Rates Scheduler process started%"),"Scheduled", true() , "Unknown") | eval Status=case(like('message',"%Exchange Rates Process Completed. File sucessfully sent to Concur%"),"SUCCESS", like('message',"%TEST(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur%"),"SUCCESS", like('message',"%DEV(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur%"),"SUCCESS", like('message',"%PRD(SUCCESS): Exchange Rates OnDemand Interface Run Report - Concur"%"),"SUCCESS",like('TracePoint',"%EXCEPTION%"),"ERROR")
Labels

Re: Is pass4symmkey a critical security option for indexer clustering?

by in Security
‎03-11-2024 03:34 AM
‎03-11-2024 03:34 AM
@sigma the pass4SymKey is a unique key provided by Splunk that enables communication and authentication between your indexers and other relevant instances, such as SHs and CM<>IDX. In summary, pass4S... See more...
@sigma the pass4SymKey is a unique key provided by Splunk that enables communication and authentication between your indexers and other relevant instances, such as SHs and CM<>IDX. In summary, pass4Symkey does not regulate user access; rather, it manages authentication between Splunk instances. For additional details, click this link:  https://docs.splunk.com/Documentation/Splunk/9.2.0/Security/Aboutsecuringclusters  If someone gains access to the pass4SymmKey, they could potentially compromise the security of the entire cluster. An attacker with knowledge of the pass4SymmKey could impersonate cluster nodes, manipulate data, or disrupt the cluster’s functionality. Therefore, treat the pass4SymmKey as a sensitive secret and store it securely.

Re: Separate the array value in the different event.

by SplunkTrust in Splunk Search
‎03-11-2024 03:34 AM
‎03-11-2024 03:34 AM
This looks like it might be JSON - if so, please provide your example (anonymised) event(s) in raw/unformatted form, i.e. valid JSON syntax, preferably in a code block </>

Re: How to Traverse Nested JSON Structures in Splunk for Process Event Analysis

by SplunkTrust in Getting Data In
‎03-11-2024 03:30 AM
1 Karma
‎03-11-2024 03:30 AM
1 Karma
Try something like this: | makeresults | fields - _time | eval _raw="{ \"timestamp\": \"2024-03-07T07:46:27Z\", \"eventName\": \"ProcessEvent\", \"computer\": { \"name\": \"randomMacBook-P... See more...
Try something like this: | makeresults | fields - _time | eval _raw="{ \"timestamp\": \"2024-03-07T07:46:27Z\", \"eventName\": \"ProcessEvent\", \"computer\": { \"name\": \"randomMacBook-Pro.local\", \"uuid\": \"9b85f341-3a24-4f70-a371-8863f8a72f1c\" }, \"processInfo\": { \"imageName\": \"bash\", \"pid\": 51097, \"systemProcess\": false, \"imagePath\": \"/bin/bash\", \"commandLine\": \"-c pmset -g batt\", \"exeHash\": { \"sha1\": \"87FD78930606102F09D607FC7305996CEFA6E028\", \"sha256\": null }, \"sid\": \"\", \"username\": \"randomuser:staff\", \"sidNameUse\": 0, \"startTime\": \"2024-03-07T07:46:27Z\", \"currentDirPath\": \"/\", \"isCompromised\": false, \"lnkPath\": \"\", \"parentProcess\": { \"imageName\": \"randomprocess1\", \"pid\": 51097, \"systemProcess\": false, \"imagePath\": \"%APPLICATIONS%/randomprocess1.app/contents/macos/randomprocess1\", \"commandLine\": \"/Applications/RandomProcess1.app/Contents/MacOS/RandomProcess1 -runMode autoLaunched\", \"exeHash\": { \"sha1\": \"E31C5F2840F47A094D58A181586B802FA8531C7E\", \"sha256\": null }, \"sid\": \"\", \"username\": \"randomuser:staff\", \"sidNameUse\": 0, \"startTime\": \"2024-03-07T07:46:27Z\", \"currentDirPath\": \"/\", \"isCompromised\": false, \"lnkPath\": \"\", \"parentProcess\": { \"imageName\": \"randomprocess2\", \"pid\": 603, \"systemProcess\": false, \"imagePath\": \"%APPLICATIONS%/randomprocess2.app/contents/macos/randomprocess2\", \"commandLine\": \"/Applications/RandomProcess2.app/Contents/MacOS/RandomProcess2 -runMode autoLaunched\", \"exeHash\": { \"sha1\": \"E31C5F2840F47A094D58A181586B802FA8531C7E\", \"sha256\": null }, \"sid\": \"\", \"username\": \"randomuser:staff\", \"sidNameUse\": 0, \"startTime\": \"2024-03-01T08:02:32Z\", \"currentDirPath\": \"/\", \"isCompromised\": false, \"lnkPath\": \"\", \"parentProcess\": { \"imageName\": \"launchd\", \"pid\": 603, \"systemProcess\": false, \"imagePath\": \"/sbin/launchd\", \"commandLine\": \"\", \"exeHash\": { \"sha1\": \"AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176\", \"sha256\": null }, \"sid\": \"\", \"username\": \"root:wheel\", \"sidNameUse\": 0, \"startTime\": \"2024-03-01T08:02:32Z\", \"currentDirPath\": \"/\", \"isCompromised\": false, \"lnkPath\": \"\", \"parentProcess\": { \"imageName\": \"launchd\", \"pid\": 1, \"systemProcess\": false, \"imagePath\": \"/sbin/launchd\", \"commandLine\": \"\", \"exeHash\": { \"sha1\": \"AA7A8F25AE7BE3BFF0DB33A8FB0D0C49361D1176\", \"sha256\": null }, \"sid\": \"\", \"username\": \"root:wheel\", \"sidNameUse\": 0, \"startTime\": \"2024-03-01T07:57:30Z\", \"currentDirPath\": \"/\", \"isCompromised\": false, \"lnkPath\": \"\", \"parentProcess\": { \"imageName\": \"kernel_task\", \"pid\": 1, \"systemProcess\": true, \"imagePath\": \"kernel_task\", \"commandLine\": \"\", \"exeHash\": { \"sha1\": \"24BF148FA83C8A5D908C33954B5CA91A5E4E3659\", \"sha256\": null }, \"sid\": \"\", \"username\": \"root:wheel\", \"sidNameUse\": 0, \"startTime\": \"2024-02-27T10:17:35Z\", \"currentDirPath\": \"\", \"isCompromised\": false, \"lnkPath\": \"\", \"parentProcess\": { \"imageName\": \"kernel_task\", \"pid\": 0, \"systemProcess\": true, \"imagePath\": \"kernel_task\", \"commandLine\": \"\", \"exeHash\": { \"sha1\": \"24BF148FA83C8A5D908C33954B5CA91A5E4E3659\", \"sha256\": null }, \"sid\": \"\", \"username\": \"root:wheel\", \"sidNameUse\": 0, \"startTime\": \"2024-02-27T10:17:35Z\", \"currentDirPath\": \"\", \"isCompromised\": false, \"lnkPath\": \"\" } } } } } } }, \"eventType\": \"Process/PosixExec\" }" | spath | eval processChain='processInfo.imagePath'." ".'processInfo.commandLine' | foreach processInfo*.parentProcess.imagePath [| eval processChain=mvappend(processChain,'<<FIELD>>'." ".'processInfo<<MATCHSEG1>>.parentProcess.commandLine')] You end up with a multi-value field which you can use mvjoin to format as you wish

Azure WAF integration with splunk

by in All Apps and Add-ons
‎03-11-2024 03:13 AM
‎03-11-2024 03:13 AM
Is there anyone who have integrated Azure WAF with splunk. If yes let me know which app or add-on you used.
Labels

Re: Filter tokens based on Row depends and Row Rejects

by in Dashboards & Visualizations
‎03-11-2024 02:40 AM
‎03-11-2024 02:40 AM
Is there any ways to create a new token where i can pass it to filters (i.e ABC and DEF) and rows? @richgalloway @bowesmana

Re: Nothing shows up in always on profilin in Splunk observability. using 14 day free trial

by in Splunk Observability Cloud
‎03-11-2024 02:34 AM
‎03-11-2024 02:34 AM
Hey Bishida,  Thanks for your prompt reply!  Java version:  jdk11 on ubuntu sandbox, "1.8.0_392" on local, OpenJDK version "17.0.10" 2024-01-16 on a k8s pod  We have used ubuntu ec2, pods with... See more...
Hey Bishida,  Thanks for your prompt reply!  Java version:  jdk11 on ubuntu sandbox, "1.8.0_392" on local, OpenJDK version "17.0.10" 2024-01-16 on a k8s pod  We have used ubuntu ec2, pods with java, WSL on Linux but no luck on profiling on any of those.  But none of them are able to show up profiling on the Splunk observability platform.  Then we are instrumenting the curl app using the given command  java -javaagent:splunk-otel-javaagent.jar -Dsplunk.profiler.enabled=true -Dsplunk.profiler.memory.enabled=true -Dotel.service.name=ec2 -Dotel.resource.attributes=deployment.environment=lab,service.version=1.0 -Dotel.exporter.otlp.endpoint=http://localhost:4317 -Dsplunk.metrics.endpoint=http://localhost:9943 -jar target/curlapp-1.1-SNAPSHOT.jar and setting up the following Gvars. SPLUNK_OTEL_AGENT=localhost OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317 OTEL_SERVICE_NAME="java_application" OTEL_RESOURCE_ATTRIBUTES="deployment.environment=lab,service.version=1.0"   So, we are using a curl app https://github.com/astro7982/curlappstatic this was present in Splunk's one of the tutorials.  Then we are installing the collector, I have tried various ways one is adding integration and copying the commands and it starts using the systemctl in an ubuntu image.   One thing is that after instrumenting the app we get the app logs with some otel  populated  metrics like "profiling JFR detected at "./jfr" file name. Also, apart from putting on the service name and env on exporting vars and passing java options logs says that no service name is set "and asks us to export it again, we have cross checked the service name is set properly and on APM we can the service name too.  We have also tried this with simple hello world java app and with petclinic but no luck.  Hope this information is useful! 

Re: Separate business hours intervals from off-business-hours

by SplunkTrust in Getting Data In
‎03-11-2024 02:33 AM
‎03-11-2024 02:33 AM
If I were to approach it, I would take the total time difference and subtract evening and morning out of hours for each difference in days, then subtract working hours for each each weekend day and h... See more...
If I were to approach it, I would take the total time difference and subtract evening and morning out of hours for each difference in days, then subtract working hours for each each weekend day and holiday date between the start date and the end date. I would use a lookup file for the holiday dates, with every holiday date you want to consider, each date have another field with a flag in. I would work out what the dates were by creating a multi-value field with all the intervening dates in. The lookup could then retrieve all the holiday flags and therefore be able to work out how many hours to deduct from the duration.

Re: Separate business hours intervals from off-business-hours

by in Getting Data In
‎03-11-2024 02:22 AM
‎03-11-2024 02:22 AM
please help me understand how to calculate the incident end/resolved date working hours (we might need to consider if the incident is closed on weekends) and the number of middle days excluding the h... See more...
please help me understand how to calculate the incident end/resolved date working hours (we might need to consider if the incident is closed on weekends) and the number of middle days excluding the holidays and weekend. Kindly help me with the Splunk query. Do we need to use mv commands like mvindex, mvexpand and mvjoin for calculating the number of middle days excluding the holidays and weekends?

Re: Sysmon events not getting indexed

by in Getting Data In
‎03-11-2024 01:49 AM
‎03-11-2024 01:49 AM
Do you find any solution for this? I have some UFs that run with local system and they can send sysmon logs but I have some UFs that run with virtual account and therefore they can't send sysmon log... See more...
Do you find any solution for this? I have some UFs that run with local system and they can send sysmon logs but I have some UFs that run with virtual account and therefore they can't send sysmon logs. I have the same message as you.