All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I am developing a custom streaming command. During tests and debugging I noticed the command works fine in this search: index="_internal" | head 1 | table host | customcommand and produces the foll... See more...
I am developing a custom streaming command. During tests and debugging I noticed the command works fine in this search: index="_internal" | head 1 | table host | customcommand and produces the following result: <class 'generator'> But when I use the command in the following search it produces no results: index="_internal" | head 1 | customcommand This is the code: @Configuration() class CustomCommand(StreamingCommand): def stream(self, events): yield {"event": str(type(events))} and this is commands.conf: [customcommand] chunked = true filename = customcommand.py python.version = python3 requires_srinfo = true streaming = true How can I fix that?
Add another lookup command | lookup OS_Outdated.csv OperatingSystems as OS BuildNumber Version OUTPUT Outdated  
Hi @SN1  How about  index=endpoint_defender source="AdvancedHunting-DeviceInfo" | rex field=DeviceName "(?<DeviceName>\w{3}-\w{1,})." | eval DeviceName=upper(DeviceName) | lookup snow_os.csv Device... See more...
Hi @SN1  How about  index=endpoint_defender source="AdvancedHunting-DeviceInfo" | rex field=DeviceName "(?<DeviceName>\w{3}-\w{1,})." | eval DeviceName=upper(DeviceName) | lookup snow_os.csv DeviceName output OS BuildNumber Version | lookup os_version_status.csv OS BuildNumber Version OUTPUT Outdated | table DeviceName OS BuildNumber Version Outdated  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
hello So i want to make a search . i am using  index=endpoint_defender source="AdvancedHunting-DeviceInfo" | rex field=DeviceName "(?<DeviceName>\w{3}-\w{1,})." | eval DeviceName=upper(DeviceNa... See more...
hello So i want to make a search . i am using  index=endpoint_defender source="AdvancedHunting-DeviceInfo" | rex field=DeviceName "(?<DeviceName>\w{3}-\w{1,})." | eval DeviceName=upper(DeviceName) this gives me devicenames. now  | lookup snow_os.csv DeviceName output OS BuildNumber Version from this lookup i am comparing devicenames and as ouput i am getting OS BuildNumber Version. and from these fields i want to compare them to this lookup to get whether this Operating System is outdated or not. how can i do this ?    
more than 10 years later, and this is still helping people.  Thanks Martin!
This seems to work in GUI. | makeresults | eval data="D,2,,200,00,8842,,USA,,1989,,2,320301120086,,,,,19899717024,,,320335100002,,,,,:,,,0,0,0,S,00000000,0,0.0,19899717024,104129,,,0,,,,," | rex mo... See more...
This seems to work in GUI. | makeresults | eval data="D,2,,200,00,8842,,USA,,1989,,2,320301120086,,,,,19899717024,,,320335100002,,,,,:,,,0,0,0,S,00000000,0,0.0,19899717024,104129,,,0,,,,," | rex mode=sed field=data "s/,,/,Null,/g" | rex mode=sed field=data "s/,,/,Null,/g" | rex mode=sed field=data "s/^,/Null,/g" | rex mode=sed field=data "s/,$/,Null/g" | table data I don't know exact reason why this is needed twice | rex mode=sed field=data "s/,,/,Null,/g"  Somehow it related to handling always two continuous characters and this is reason why it needs to run twice.  These two lines is needed to manage 1st and last pairs (,Null and Null,) correctly. | rex mode=sed field=data "s/^,/Null,/g" | rex mode=sed field=data "s/,$/,Null/g" I think that you could add a new transforms.conf for index time changes based on above? 
solution: SEDCMD-replaceblanks1 = s/,,/,-,/g SEDCMD-replaceblanks2 = s/,,/,-,/g SEDCMD-replaceblanks3 = s/,,/,-,/g SEDCMD-replaceblanks4 = s/,,/,-,/g SEDCMD-replaceblanks5 = s/,,/,-,/g SEDCMD-r... See more...
solution: SEDCMD-replaceblanks1 = s/,,/,-,/g SEDCMD-replaceblanks2 = s/,,/,-,/g SEDCMD-replaceblanks3 = s/,,/,-,/g SEDCMD-replaceblanks4 = s/,,/,-,/g SEDCMD-replaceblanks5 = s/,,/,-,/g SEDCMD-replaceblanks6 = s/,,/,-,/g SEDCMD-replaceblanks7 = s/,,/,-,/g SEDCMD-replaceblanks8 = s/,,/,-,/g  
Most of the answers I've seen to questions like this seem to focus on the idea of reviewing essentially all of your searches and then optimizing all of your searches.  While that may be good practice... See more...
Most of the answers I've seen to questions like this seem to focus on the idea of reviewing essentially all of your searches and then optimizing all of your searches.  While that may be good practice, it also doesn't necessarily address the actual problem, because it doesn't help you to identify the one or two searches that are specifically causing the health monitor to become red.  Recently when I ran into this issue, I used this search to find the specific offending searches and then fix them, deactivating the alert. index=_internal sourcetype=scheduler "Scheduler Health Report recording a extremely lagged search"
This is good point. After thinking this question probably means how to get lis into dashboard which nodes have OS which didn’t contains all latest patches etc? Can you @SN1 confirm what you are mean... See more...
This is good point. After thinking this question probably means how to get lis into dashboard which nodes have OS which didn’t contains all latest patches etc? Can you @SN1 confirm what you are meaning for “outdated os”?
Hello @somesoni2 , Thank you for this approach. But it works only when we have one empty value in row, but if not looks like it doesnt replace every value properly. Example:  D,2,,200,00,8842,,USA... See more...
Hello @somesoni2 , Thank you for this approach. But it works only when we have one empty value in row, but if not looks like it doesnt replace every value properly. Example:  D,2,,200,00,8842,,USA,,1989,,2,320301120086,,,,,19899717024,,,320335100002,,,,,:,,,0,0,0,S,00000000,0,0.0,19899717024,104129,,,0,,,,,   Could you please suggest a solution.  
EMOREWORDS - What do you mean by "oudated OS"? Outdated OS where? Under Splunk components? Running Splunk UFs? Something else? Remember that Splunk is _not_ an endpoint management system. You must h... See more...
EMOREWORDS - What do you mean by "oudated OS"? Outdated OS where? Under Splunk components? Running Splunk UFs? Something else? Remember that Splunk is _not_ an endpoint management system. You must have data in the first place to be able to find something in it. So it's a question for you whether you have the data about OS versions in the first place.
If you try to follow KISS (keep it simple stupid) I said that you should do this forwarding/splitting to separate targets in 1st full Splunk Enterprise instance (in this case your SH, MC, LM etc). Ju... See more...
If you try to follow KISS (keep it simple stupid) I said that you should do this forwarding/splitting to separate targets in 1st full Splunk Enterprise instance (in this case your SH, MC, LM etc). Just splits those to there. And in this case is suppose that you don't even need separate transforms/props conf to do this. Just add a new app where you are using own inputs.conf which contains this additional outputs.conf with _SYSLOG_ROUTING and add inputs.conf which are sending all events (via default output) as both. But as you have QRadar as a target it might be need some modifications into log event? I cannot recall now what kind of syslog feed QRadar is needing? But if it support those default which splunk can send, you should use those. Otherwise you must add props+transforms to modify those events as needed.
Unfortunately there is no list ready to use. But you could create it based on this https://docs.splunk.com/Documentation/Splunk/9.4.2/ReleaseNotes/Deprecatedfeatures#Platform_support_changes_in_vers... See more...
Unfortunately there is no list ready to use. But you could create it based on this https://docs.splunk.com/Documentation/Splunk/9.4.2/ReleaseNotes/Deprecatedfeatures#Platform_support_changes_in_version_9.4 unfortunately you must go through quite many release notes to get splunk version vs deprecated versions. After that you could utilize @livehybrid 's query with some modifications to utilize your os-support.csv. Then if you are needing this information also for UFs, you must remember that their support times are longer that core components! Here is link to Splunk Core support times https://www.splunk.com/en_us/legal/splunk-software-support-policy.html#core and just after it you can see UF's support times which are longer e.g. UF 9.0 ends after 36 month instead of 24 months like core.
The best ways to solve this kind of issues is use btool like splunk btool outputs list --debug This shows all stanzas and values as splunk takes those into use after rebooting splunkd if those are... See more...
The best ways to solve this kind of issues is use btool like splunk btool outputs list --debug This shows all stanzas and values as splunk takes those into use after rebooting splunkd if those are added after last reboot into files. 
In my case I had this configuration line in another app: forwardedindex.2.whitelist = (_audit|_introspection|_internal) I´ve recognized that in etc/apps/SplunkDeploymentServerConfig/default/outputs... See more...
In my case I had this configuration line in another app: forwardedindex.2.whitelist = (_audit|_introspection|_internal) I´ve recognized that in etc/apps/SplunkDeploymentServerConfig/default/outputs.conf there is statement forwardedindex.2.whitelist = (_audit|_internal|_introspection|_telemetry|_metrics|_metrics_rollup|_configtracker|_dsclient|_dsphonehome|_dsappevent) My took preference because of being in local. After I have removed my local one I am able to see clients in GUI of deployment server again.
Hi @msatish  If you open the Developer Console in your browser and navigate to the Network tab, have a look for any resource which load slowly, please let us know which URIs load slowly and that mig... See more...
Hi @msatish  If you open the Developer Console in your browser and navigate to the Network tab, have a look for any resource which load slowly, please let us know which URIs load slowly and that might help us work out what the slowness might be caused by. Please can you also confirm your architecture, resource allocation (CPU/Memory etc), number of SH/IDX etc.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @SN1  If you're looking for Splunk versions and their support status then you can use the following: index=_internal hostname=* os=* | stats first(fwdType) as fwdType, first(os) as os, first(ve... See more...
Hi @SN1  If you're looking for Splunk versions and their support status then you can use the following: index=_internal hostname=* os=* | stats first(fwdType) as fwdType, first(os) as os, first(version) as splunk_version by hostname | rex field=splunk_version "(?<version_minor>[0-9]+\.[0-9]+)" | append [| makeresults format=csv data="version_minor, eos_date 9.0,Jun 14 2024 9.1,Jun 28 2025 9.2,Jan 31 2026 9.3,Jul 24 2026 9.4,Dec 16 2026" | eval eos_unix=strptime(eos_date,"%b %d %Y") ] | stats values(hostname) as hosts, first(eos_date) as eos_date, first(eos_unix) as eos_unix by version_minor | eval support_status=IF(eos_unix>time(),"In Support","Out of Support") | fillnull eos_date value="Unknown" | where hosts!="" However if you want the base OS then this might be a little tricker.   Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
You have an accelerated perception of time so things appear slower than they really are?  You are using under-powered technology that struggles with the workload being executed?  On a less friv... See more...
You have an accelerated perception of time so things appear slower than they really are?  You are using under-powered technology that struggles with the workload being executed?  On a less frivolous note, please expand on what you are seeing and how you have determined that there is a slowness that you have observed?
Works great!. Thanks!
@Jimenez