All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I've obtained this information from VirusTotal, and I want to create a playbook to check IP reputation and retrieve the results. I want to make a decision where if the result is greater than 0, it wi... See more...
I've obtained this information from VirusTotal, and I want to create a playbook to check IP reputation and retrieve the results. I want to make a decision where if the result is greater than 0, it will write a note stating 'It's malicious from VirusTotal.' You can see this example: Community Score or information like '4/94 security vendors flagged.' I want to compare it according to VirusTotal from the playbook. However, when I run it, it only shows 'detected urls: 2.' Can someone explain this?
Hello, I'm looking to set up a log retention policy for a specific index, for example index=test. Here's what I'd like to configure: - Total retention time = 24 hours - First 12 hours in hot+warm... See more...
Hello, I'm looking to set up a log retention policy for a specific index, for example index=test. Here's what I'd like to configure: - Total retention time = 24 hours - First 12 hours in hot+warm, then - Next 12 hours cold. - After that, the data should be archived (not deleted). How exactly should I configure this please? Also does the number of buckets need to be adjusted to support this setup properly on such a short timeframe? Thanks in advance for your help.  
Please can you confirm the field names in your OS lookup? Thanks
So you terminated old node and then a new one bring up. But how about splunk in these cases? How it was installed and how about configurations and old data or was this totally clean installation which... See more...
So you terminated old node and then a new one bring up. But how about splunk in these cases? How it was installed and how about configurations and old data or was this totally clean installation which then added to cluster or was it old installation with GUI, <index>.dat files + real indexes?
index=endpoint_defender source="AdvancedHunting-DeviceInfo" | rex field=DeviceName "(?<DeviceName>\w{3}-\w{1,})." | eval DeviceName=upper(DeviceName) | lookup snow_os.csv DeviceName output OS Buil... See more...
index=endpoint_defender source="AdvancedHunting-DeviceInfo" | rex field=DeviceName "(?<DeviceName>\w{3}-\w{1,})." | eval DeviceName=upper(DeviceName) | lookup snow_os.csv DeviceName output OS BuildNumber Version | lookup OS_Outdated.csv OperatingSystems as OS BuildNumber Version OUTPUT Outdated | fillnull value=false outdated | table DeviceName OS BuildNumber Version Outdated this is i am using but the problem is this line | lookup OS_Outdated.csv OperatingSystems as OS BuildNumber Version OUTPUT Outdated is not generating any results  
i am doing this but outdated is showing nothing  
hi, the path you search is : resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringValue but in your json data example, the path to stringValue is : resourceSpans{}.resource{}.attributes{... See more...
hi, the path you search is : resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringValue but in your json data example, the path to stringValue is : resourceSpans{}.resource{}.attributes{}.value.stringValue May be it help.
Hi @kn450, With respect to your prior comments: "... it's important to note that the queries used are not written in Splunk’s native SPL language; instead, they rely on Elasticsearch queries. This l... See more...
Hi @kn450, With respect to your prior comments: "... it's important to note that the queries used are not written in Splunk’s native SPL language; instead, they rely on Elasticsearch queries. This limits the integration with some of Splunk’s core functionalities and does not provide the desired level of efficiency in terms of performance and deep analysis." I use custom generating commands to run Elasticsearch searches, and I treat the results as if they came from a similar base SPL command. I agree the ideal would be a virtual index or federated search that compiles a search command into equivalent Elasticsearch Query DSL, for example, but that isn't presently feasible. What Splunk functionality would you like to use with custom search commands, including those from apps on Splunkbase, that you cannot use? Do you have specific use cases in mind?
Unfortunately,  the issue is back on 2 indexers again.
The nodes are in a scaling group, they were replaced one by one. Everything worked without any issues in a different environment.
Hi @kn450 , @Saba    I have encountered this same issue a few days back and solved it by running a playbook to do a splunk search to create the event_id from the data in my artifact. The macro `get... See more...
Hi @kn450 , @Saba    I have encountered this same issue a few days back and solved it by running a playbook to do a splunk search to create the event_id from the data in my artifact. The macro `get_event_id_meval` is used to create the event id from the indexer_guid, index and event_hash fields, separated by "@@", i.e. indexer_guid@@index@@event_hash. Is this the best way? Probably not, but it does work and I can always update it should I find a better solution. See the search below. index=notable search_name="<your_search_name>" firstTime="xxxx" lastTime="xxxx" | eval `get_event_id_meval` | fields event_id  
I see, okay - in that case I think the below might work for you? This works by setting the fieldName into the value so you dont need something=$token$ you just do $token$ as it already contains somet... See more...
I see, okay - in that case I think the below might work for you? This works by setting the fieldName into the value so you dont need something=$token$ you just do $token$ as it already contains something= within it: All: <form version="1.1"> <label>Demo</label> <fieldset submitButton="false"> <input type="dropdown" token="testToken" searchWhenChanged="true"> <label>Test. Token</label> <choice value="*">All</choice> <choice value="&quot;resourceSpans{}.resource.attributes{}.value.stringValue&quot;=&quot;CONSO_ABAQ | 31/03/2016 | 23&quot;">CONSO_ABAQ | 31/03/2016 | 23 (Static)</choice> <fieldForLabel>obj</fieldForLabel> <fieldForValue>option</fieldForValue> <search> <query>| makeresults | eval obj="CONSO_ABAQ | 31/03/2016 | 22" | eval option="\"resourceSpans{}.resource.attributes{}.value.stringValue\"=\"".obj."\""</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> </input> </fieldset> <row> <panel> <table> <search> <query>|makeresults | eval _raw=json_set("{}","resourceSpans{}.resource.name.stringValue","Testing") |append [makeresults | eval _raw=json_set("{}","resourceSpans{}.resource.attributes{}.value.stringValue","CONSO_ABAQ | 31/03/2016 | 22")] |spath|search $testToken$</query> <earliest>-24h@h</earliest> <latest>now</latest> <sampleRatio>1</sampleRatio> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="totalsRow">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing  
Hi @Jacob_Edelen , Schedule PDF delivery was added in 9.3. You can check out our "What's new in Dashboard Studio" docs to see new features shipped with each version: https://docs.splunk.com/Documenta... See more...
Hi @Jacob_Edelen , Schedule PDF delivery was added in 9.3. You can check out our "What's new in Dashboard Studio" docs to see new features shipped with each version: https://docs.splunk.com/Documentation/Splunk/9.4.2/DashStudio/WhatNew#:~:text=Schedule%20PDF%20and%20PNG%20exports%20of%20dashboards
Will this be available in version 9.4.2? We are upgrading in the coming weeks and have people itching for it.
Why are you using  proces_path=$Get_Process_Path|s$ if $Get_Process_Path$ already has the process_path="* prefix? Is this what is causing the issue?
Hi,  My dashboard has a few text boxes and I'm trying to make the inputs as user friendly as possible. I came across multiple issues which I have solved with previous posts however, there is a ... See more...
Hi,  My dashboard has a few text boxes and I'm trying to make the inputs as user friendly as possible. I came across multiple issues which I have solved with previous posts however, there is a conflict with the solutions that prevent me from implementing both at the same time.  #1 - If a text input is empty then that field should be ignored in the search. This can be fixed by adding a prefix and suffix  Ideally we can also input partial paths so there is also an implicit * character.  <input type="text" token="Get_Process_Path"> <label>Process Name or Path</label> <prefix>process_path="*</prefix> <suffix>*"</suffix> </input> https://community.splunk.com/t5/Dashboards-Visualizations/Evaluating-form-field-if-not-null/td-p/18164    #2 - Interpret back slash characters as text so we don't need to manually add \\ to every path. The |s filter for tokens fixed this.  process_path=$Get_Process_Path|s$ https://community.splunk.com/t5/Dashboards-Visualizations/How-do-you-escape-backslashes-in-user-input-and-then-use-that/m-p/142096    I can get both of these working on their own but not at the same time. Is there a way to do this or do I need a different approach?  Thanks.
  Thank you!
Hi @livehybrid  Thanks for looking into this - cheers. The issue is that I have filters (drop-downs) that I am using to zoom into data. So when I pick a jobID it works very well for other tables ... See more...
Hi @livehybrid  Thanks for looking into this - cheers. The issue is that I have filters (drop-downs) that I am using to zoom into data. So when I pick a jobID it works very well for other tables For example. The table below would have a filter The code would look like this. So this is perfect for "CONSO_ABAQ | 31/03/2016 | 22". However, if I put in * from the drop-down. I won't get the original line as it does not have resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringValue - however, I am looking to extract other data from that line to complete the table. host="MARKET_RISK_PDT_V2" index="murex_logs" sourcetype="Market_Risk_DT" | search "resourceSpans{}.resource.attributes{}.value.stringValue"="*" | search resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringValue = "CONSO_ABAQ | 31/03/2016 | 22" | spath resourceSpans{}.scopeSpans{}.spans{} output=scopeSpans | stats count by scopeSpans | spath input=scopeSpans | rename startTimeUnixNano as start | rename endTimeUnixNano as end | eval _time=start/pow(10,9) | eval duration = end -start | eval duration= duration/1000000 | eval duration = round(duration,0) | eval parentSpanId =if(parentSpanId="" ,"0", $parentSpanId$) | rename name as SPAN_TYPE | search traceId = * | search spanId="*" OR parentSpanId="*" | stats avg(duration) as Average count(duration) AS count, stdev(duration) AS stdev, median(duration) AS median, exactperc75(duration) AS perc75, exactperc95(duration) AS perc95, exactperc99.5(duration) AS perc99.5, min(duration) AS min, max(duration) AS max by SPAN_TYPE | sort - Average  
Hi @robertlynch2020  I might be mis-understanding something here, but why are you searching for resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringValue = "*" if you want to include data ... See more...
Hi @robertlynch2020  I might be mis-understanding something here, but why are you searching for resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringValue = "*" if you want to include data which does not have it? If you search for a field with value * then the field must exist. It might help if we could understand your usecase here if you're able to share a little more info, please?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi  I have the following data (Below). I have a situation where I want to search for "*" on a search and have it return all the data. resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringV... See more...
Hi  I have the following data (Below). I have a situation where I want to search for "*" on a search and have it return all the data. resourceSpans{}.scopeSpans{}.spans{}.attributes{}.value.stringValue = "*" However, this works for 99.9 % of my data, but the line below.  This path is not there. So when I run the command below, I get no results. However, I am looking for all data with the *. But as it's not there, it is excluding it. Is there any way I can still get the data back?   {"resourceSpans":[{"resource":{"attributes":[{"key":"process.pid","value":{"intValue":"600146"}},{"key":"service.instance.id","value":{"stringValue":"003nhhk3"}},{"key":"service.name","value":{"stringValue":"LAUNCHERMXMARKETRISK_MPC"}},{"key":"service.namespace","value":{"stringValue":"LAUNCHER"}},{"key":"telemetry.sdk.language","value":{"stringValue":"java"}},{"key":"telemetry.sdk.name","value":{"stringValue":"opentelemetry"}},{"key":"telemetry.sdk.version","value":{"stringValue":"1.34.0"}},{"key":"mx.env","value":{"stringValue":"dell945srv:13003"}}]},"scopeSpans":[{"scope":{"name":"mx-traces-api","version":"1.0.0"},"spans":[{"traceId":"10731f4b1d19380ceb33ae33672dbd5f","spanId":"cbf88ed07b403b48","parentSpanId":"3cfc7d85786b676b","name":"createSubmission","kind":1,"startTimeUnixNano":"1747152946314481406","endTimeUnixNano":"1747152946314775297","status":{}},{"traceId":"10731f4b1d19380ceb33ae33672dbd5f","spanId":"8ff7fabcab4b12d0","parentSpanId":"3cfc7d85786b676b","name":"createSubmission","kind":1,"startTimeUnixNano":"1747152946353054099","endTimeUnixNano":"1747152946353187644","status":{}},{"traceId":"10731f4b1d19380ceb33ae33672dbd5f","spanId":"4b14e49df1e1ffd8","parentSpanId":"3cfc7d85786b676b","name":"createSubmission","kind":1,"startTimeUnixNano":"1747152946474942393","endTimeUnixNano":"1747152946475042609","status":{}},{"traceId":"10731f4b1d19380ceb33ae33672dbd5f","spanId":"169b89bf118931d8","parentSpanId":"3cfc7d85786b676b","name":"createSubmission","kind":1,"startTimeUnixNano":"1747152946488875310","endTimeUnixNano":"1747152946488933120","status":{}}]}]}]}