All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have no search to share.
Dear All,  Thank you so much for the response. I am extremely sorry as I made it very difficult by sharing the whole Use Case. Actually, the requirement here is as follows:  1. If an email comes wh... See more...
Dear All,  Thank you so much for the response. I am extremely sorry as I made it very difficult by sharing the whole Use Case. Actually, the requirement here is as follows:  1. If an email comes which was never seen before, we investigate and when confirmed that it is legit, we should whitlelist it 2. If any email comes from the same domain, then we shouldn't get any alert (depending on the throttling value) 3. If an email comes from a new domain, again that's not seen previously, then we should get an alert in the Splunk. After that, we repeat the step 1.  Is it possible for you to help me with a query to satiate this requirement? I tried my level best but it doesn't seem to be working. I would really appreciate all the help and support.  Regards,  Anoop
Hi Giuseppe, Greetings from another Joseph. We have a distributed environment with multiple SHs, 8 I think in 2 different groups.  For that reason any app/TA that have API calls or binaries go onto... See more...
Hi Giuseppe, Greetings from another Joseph. We have a distributed environment with multiple SHs, 8 I think in 2 different groups.  For that reason any app/TA that have API calls or binaries go onto an HF that we use for this purpose.  We actually don't care about the UI for the app since all we want to do is pull in the events using the binaries.  I tried splitting the App into an input and a search piece but that didn't work.  We have suggested to Bloodhound that they do this.  For now the app runs on the HF which is where the kvstores are created.  The teams use the SHs to look at the events in the Search app.  I've had a request to copy the kvstores to one of the SH groups so they can be examined instead of using the alerts that get created from the kvstores. Regards, Joe
@n3wbi3  The error message you mentioned, “Data Durability Root Cause(s): Replication Factor is not met,” indicates that the replication factor for some buckets is not being fulfilled.     Ch... See more...
@n3wbi3  The error message you mentioned, “Data Durability Root Cause(s): Replication Factor is not met,” indicates that the replication factor for some buckets is not being fulfilled.     Check if any peers are offline or experiencing connectivity problems. An offline peer can prevent the replication factor from being met https://docs.splunk.com/Documentation/Splunk/9.2.0/DMC/Usefeaturemonitoring  The message “All data is not searchable” suggests that some buckets are not fully searchable. Ensure that all buckets have primary copies. If a bucket lacks a primary copy, it can impact searchability. Resync the state of the affected bucket copies on the manager. https://docs.splunk.com/Documentation/Splunk/9.2.0/Indexer/Anomalousbuckets  Anomalous bucket issues - Splunk Documentation
@richgalloway , Can you pls share the possible search from your side if possible !
@nmboner Can you check this  Deleting the Unsupported Splunk Windows Universal Forwarder TekStream Solutions
@jdhart1312  Check for Errors: Search the _internal index for any email-related errors or warnings. Use the following search query: index=_* AND (SMTP OR sendemail OR email) AND (FAIL* OR ERR* OR T... See more...
@jdhart1312  Check for Errors: Search the _internal index for any email-related errors or warnings. Use the following search query: index=_* AND (SMTP OR sendemail OR email) AND (FAIL* OR ERR* OR TIMEOUT OR CANNOT OR REFUSED OR REJECTED)
@jdhart1312 It seems like you’re experiencing an issue with email alert notifications in Splunk.  First, ensure that the user account associated with the alerts has the necessary permissions to send... See more...
@jdhart1312 It seems like you’re experiencing an issue with email alert notifications in Splunk.  First, ensure that the user account associated with the alerts has the necessary permissions to send emails. Sometimes, issues arise due to permission restrictions. Verify that the user has the appropriate access. Test with |sendemail Command: Run an ad-hoc test using the | sendemail command in your search query. This will help verify if emails are being sent correctly. If you receive the expected results via email, it indicates that the email functionality is working, and the issue might be specific to your alerts. Ensure that the dimensions of any attachments (such as PDFs) do not exceed the email attachment size limit. Large attachments may cause email delivery problems. Email notification action - Splunk Documentation  
Is it a problem if I modify it directly under the defaul folder? Is a restart needed after ? best regards Altin
here is the current data   Feb 27 14:12:38 node0: -------------------------------------------------------------------------- Attack database version:3670(Thu Feb 22 14:12:38 2024 UTC) Detector ... See more...
here is the current data   Feb 27 14:12:38 node0: -------------------------------------------------------------------------- Attack database version:3670(Thu Feb 22 14:12:38 2024 UTC) Detector version :12.2.140230313 Policy template version :3535 node1: -------------------------------------------------------------------------- Attack database version:3670(Thu Feb 22 14:12:38 2024 UTC) Detector version :12.2.140230313 Policy template version :3535 {primary:node0}     i need help extracting the values for attack version (just the digit), detector version and policy template version, by node (ie: node 0 and node 1)   output looks like something like this   Node               Attack database version                 Detector version                Policy template version node0             3670                                                         12.2.140230313               3535 node1             3670                                                         12.2.140230313               3535     please and thank you, i am only able to get the node0 but not node1
Hi all, I have a dashboard that monitors deploys, and a table that tracks all info related to any given deploy.  I have a column labeled "pull request urls" that populates with the Github link relat... See more...
Hi all, I have a dashboard that monitors deploys, and a table that tracks all info related to any given deploy.  I have a column labeled "pull request urls" that populates with the Github link related to the deploy, and I made it clickable with a drilldown.  However, for local deploys with no link, it populates "N/A", and I would like to make that text excluded from the drilldown.  Is there anyway to exclude certain strings from drilldowns? Drilldown is copied below. <option name="drilldown">cell</option>      <drilldown>      <condition field="PULL_REQUEST_URL">           <!-- this condition field can be modified based on column header -->           <link target="_blank">$click.value2|n$</link>      </condition>      <condition>           <!-- keep this blank -->      </condition> </drilldown>
Is the GUI running on a Windows machine?  If not, they I believe you will get an error like that since there are no local Windows performance inputs.  Instead, you'll need Remote Performance Monitori... See more...
Is the GUI running on a Windows machine?  If not, they I believe you will get an error like that since there are no local Windows performance inputs.  Instead, you'll need Remote Performance Monitoring.
I'm not familiar enough with Windows to discuss lateral movement on that platform.  I believe, however, the first step should be filtering out known-good events. Also, Splunk's User Behavior Analyti... See more...
I'm not familiar enough with Windows to discuss lateral movement on that platform.  I believe, however, the first step should be filtering out known-good events. Also, Splunk's User Behavior Analytics (UBA) product may be useful for this.
No. You should _not_ tag people when asking questions. This is a community-driven forum when people voluntarily help others in their own time. Tagging people when asking question can be perceived as... See more...
No. You should _not_ tag people when asking questions. This is a community-driven forum when people voluntarily help others in their own time. Tagging people when asking question can be perceived as demanding answer from such person. You can demand... well, if you buy a paid consultancy service, quite frankly. This is a place for sharing ideas and experiences, it's not meant as a replacement for support or as a free labor.
Again - your problem is not with the value of the field but with the visualizaiton and the visual effect you want to achieve. The values are trimmed for displaying and it has nothing to do with value... See more...
Again - your problem is not with the value of the field but with the visualizaiton and the visual effect you want to achieve. The values are trimmed for displaying and it has nothing to do with values themselves. Also, formatting output with spaces is a no-no. We're not in the '80s anymore.
Hello, In our unique environment, we face some limitations. We cannot directly install Splunk forwarders on the database servers, nor can we create a Splunk user account within the databases. Here’... See more...
Hello, In our unique environment, we face some limitations. We cannot directly install Splunk forwarders on the database servers, nor can we create a Splunk user account within the databases. Here’s the situation: Server A (DB server): Our databases generate SQLAudit files. Server B (Relay): These SQLAudit files are transmitted from server A to a different 'relay' server (let’s call it Server B). Unfortunately, Server B also cannot accommodate Splunk forwarders. Server C (Universal Forwarder): From Server B, the audit files are further transmitted to another server (Server C). On Server C, we have a Splunk Universal forwarder that should upload the SQLAudit files to our Splunk Cloud instance. The challenge lies in the fact that SQLAudit files are in a native format that Splunk cannot directly interpret. While the ideal solution would be to install forwarders directly on the original DB servers (which is not feasible for us), we also recognize that using DB connect and creating a Splunk account on the DB is not an option. Given these constraints, are there any other viable options we can explore? Best regards,
@yuanliu  I was trying to display on a single value panel as mentioned to the title. I added your suggestion to Single value panel searches, the space didn't push the text to the left like the ... See more...
@yuanliu  I was trying to display on a single value panel as mentioned to the title. I added your suggestion to Single value panel searches, the space didn't push the text to the left like the dot did.   Thanks Please also see my response to @PickleRick 
I need to create a dashboard in which dropdown will have two values "Yesterday" and "last week" (basically compares today's data with "Yesterday" and "last week" -- this part is completed). Now I n... See more...
I need to create a dashboard in which dropdown will have two values "Yesterday" and "last week" (basically compares today's data with "Yesterday" and "last week" -- this part is completed). Now I need to display only today's data in panels before user selects any input from drop-down menu. How can I achieve that ?  
Hello @PickleRick , I tried your solution, it did not display the space as you can see the grey dot is still on the center. Note that I was trying to do it on a Single value Panel.  Please sugges... See more...
Hello @PickleRick , I tried your solution, it did not display the space as you can see the grey dot is still on the center. Note that I was trying to do it on a Single value Panel.  Please suggest. Thank you for your help.   If I used the dot, instead of spaces, it worked. See the grey dot is in the center   | makeresults | eval f1="test" | eval f1l=len(f1) | eval f2="test............" | eval f2l=len(f2) | table f2