All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi here is list of different articles how this can do in splunk. There are a lot of options for finding hosts or sources that stop submitting events: Meta Woot! https://splunkbase.splunk.com/app/... See more...
Hi here is list of different articles how this can do in splunk. There are a lot of options for finding hosts or sources that stop submitting events: Meta Woot! https://splunkbase.splunk.com/app/2949/ TrackMe https://splunkbase.splunk.com/app/4621/ Broken Hosts App for Splunk https://splunkbase.splunk.com/app/3247/ Alerts for Splunk Admins ("ForwarderLevel" alerts) https://splunkbase.splunk.com/app/3796/ Monitoring Console https://docs.splunk.com/Documentation/Splunk/latest/DMC/Configureforwardermonitoring Deployment Server https://docs.splunk.com/Documentation/DepMon/latest/DeployDepMon/Troubleshootyourdeployment#Forwarder_warnings Some helpful posts: https://lantern.splunk.com/hc/en-us/articles/360048503294-Hosts-logging-data-in-a-certain-timeframe https://www.duanewaddle.com/proving-a-negative/  
Have you add this  ... script="simple_xml_examples:showtokens.js" into your <form … > line? With this addition you can see all defined tokens and their values. Of course you must 1st install this... See more...
Have you add this  ... script="simple_xml_examples:showtokens.js" into your <form … > line? With this addition you can see all defined tokens and their values. Of course you must 1st install this app. 
How do you know it isn't working? How are you using the token? Try updating the title (temporarily) to see if it changes? <event> <title>$channel_token$</title> <search> <query>$case_token$ sour... See more...
How do you know it isn't working? How are you using the token? Try updating the title (temporarily) to see if it changes? <event> <title>$channel_token$</title> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="list.drilldown">none</option> <option name="list.wrap">1</option> <option name="raw.drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <condition field="Channel"> <set token="channel_token">$click.value$</set> </condition> </drilldown> </event>
I totally agree with @PickleRick that this case should continue with some local company/ contractor. There are too many open items and one must see your real architecture and also logs to give answer ... See more...
I totally agree with @PickleRick that this case should continue with some local company/ contractor. There are too many open items and one must see your real architecture and also logs to give answer to you.
I'm assuming they thought the "very stupid question" part was directed at the OP. 
Im not the OP, but this helped me.
I am using Splunk version 9.4.0. I got rid of the list and raw drilldown options and made sure only table.drilldown was present and set to all. It's still not working.
This should be higher up. Correct solution. 
I have a version working with just table.drilldown = all, i.e. list.drilldown and raw.drilldown seem to be redundant. Also, table.drilldown = 1 seems to work. Which version of Splunk are you using?
It is not solved, thank you for asking! 1. Can you please alert me to what is harmlessly redundant? 2. The token does not work. I used a drilldown to set Channel to click.value (I also tried to set... See more...
It is not solved, thank you for asking! 1. Can you please alert me to what is harmlessly redundant? 2. The token does not work. I used a drilldown to set Channel to click.value (I also tried to set Channel to row.Channel), but it doesn't work. 
Has this now been solved (as I can't see anything wrong with what you posted - apart from some obvious harmlessly-redundant options)?
Hi Team. Could you please look into my post and respond on Automatic event correlation in Splunk ITSI (without creating manual correlation searches) for third party tools/ log4j? Thank you.
How will get /add pre-populated fields as checkboxes severity field
Hi @te25  This might work, it assumes the lookup has a list of firewalls with a "host" field: | inputlookup firewall_lookup.csv | eval reported=0 | append [ search index=yourIndex sourcetype... See more...
Hi @te25  This might work, it assumes the lookup has a list of firewalls with a "host" field: | inputlookup firewall_lookup.csv | eval reported=0 | append [ search index=yourIndex sourcetype=pan:traffic earliest=-15m | stats count by host | eval reported=1 | fields firewall reported ] | stats max(reported) as reported by host | rex field=host "(?<pair>[^0-9]+)" | stats sum(reported) as reporting_count, values(host) as firewalls by pair | where reporting_count=0 | table pair firewalls  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hello, and thank you for your help! Here is my what my dashboard looks like now: <event> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestam... See more...
Hello, and thank you for your help! Here is my what my dashboard looks like now: <event> <search> <query>$case_token$ sourcetype=hayabusa $host_token$ $level_token$ $rule_token$ | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="list.drilldown">none</option> <option name="list.wrap">1</option> <option name="raw.drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <condition field="Channel"> <set token="channel_token">$click.value$</set> </condition> </drilldown> </event> Here is what the corresponding search looks like: index=test-index sourcetype=hayabusa host=* Level=* RuleType=* | fields Timestamp, host, Computer, Level, Channel, RecordID, EventID, Ruletitle, Details  
Have your lookup return the common name for the ha pair and detect when the pair has not sent logs (recently)
Hello.  I am working on creating an alert in Splunk for detecting when a firewall stops sending logs. We have all logs from firewalls forwarded to syslog in Splunk as sourcetype=pan:traffic . The pr... See more...
Hello.  I am working on creating an alert in Splunk for detecting when a firewall stops sending logs. We have all logs from firewalls forwarded to syslog in Splunk as sourcetype=pan:traffic . The problem is we have ha-pairs/ active and passive firewall and I don't see how to construct the query to check when BOTH firewalls (let's say active city-fw01 and passive city-fw02) don't send logs. We have more than 100 devices so I am using a lookup table with the list.  Any idea would be great, thanks.
Can't reproduce either - please share your dashboard/report search so we can see what else might be going on?
Can't reproduce. | makeresults count=100 | eval _raw="2025-05-19 12:38:40 aaa <something> bbb <something else> let's make this event long. Or at least long-ish. reason=we'll see how it works <br> &... See more...
Can't reproduce. | makeresults count=100 | eval _raw="2025-05-19 12:38:40 aaa <something> bbb <something else> let's make this event long. Or at least long-ish. reason=we'll see how it works <br> &lt;<how about <now>/>&rt; No change. Thisisfine...",host="a",source="b" | transaction maxevents=10000 host source | table _time host source _raw Splunk 9.3.0. Works as it should.
And what is the problem you're trying to solve?