All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @Muthu_Vinith , you should use a regex like the following: | rex field=result "\w:\\\w+\\\w+\\(?<myfield>[^\.]+)" that you can test at https://regex101.com/r/BYH1rP/1 Ciao. Giuseppe
Hey Experts, I'm new to splunk and I'm trying to extract APP WEB and MNOPQ from a field called result. Can someone please guide me on how to achieve this? Any help or example queries would be greatly... See more...
Hey Experts, I'm new to splunk and I'm trying to extract APP WEB and MNOPQ from a field called result. Can someone please guide me on how to achieve this? Any help or example queries would be greatly appreciated. Thank You! Fi a:\abc\def\MNOPQ.txt content is expected to include "A H Dis Query,0,0" Fi a:\abc\def\APP.txt content is expected to include "A H Dis Query,0,0" Fi a:\abc\def\WEB.txt content is expected to include "A H Dis Query,0,0"
It looks like you have introduced the double equals again! Try something like this sourcetype=“my_source” [search sourcetype="my_source" "failed request, request id=" | rex “failed request, request... See more...
It looks like you have introduced the double equals again! Try something like this sourcetype=“my_source” [search sourcetype="my_source" "failed request, request id=" | rex “failed request, request id=(?<request_id>[\w-]+)" | top limit=100 request_id | fields request_id | rename request_id as search]
This works perfectly thank you very much.
Hi to everyone,  I have recently installed Splunk enterprise (9.1.2) on an ubuntu 20.04 with the add-on "Splunk App for Stream" (8.1.1). . On another VM (also ubuntu 20.04, IP : 192.168.182.134 ) I... See more...
Hi to everyone,  I have recently installed Splunk enterprise (9.1.2) on an ubuntu 20.04 with the add-on "Splunk App for Stream" (8.1.1). . On another VM (also ubuntu 20.04, IP : 192.168.182.134 ) I put my UF (9.1.2). In the UF, I put the add-on "Splunk Add-on for Stream Forwarders" (8.1.1) to capture stream/packets. My streamfwd.conf file is : [streamfwd] logConfig = streamfwdlog.conf port = 8889 ipAddr = 192.168.182.134 netflowReceiver.0.decodingThreads = 4 indexer.0.uri = http://192.168.182.132:8088 [streamfwdcapture] netflowReceiver.0.ip = 192.168.182.134 netflowReceiver.0.interface = ens33 netflowReceiver.0.port = 9995 netflowReceiver.0.decoder = netflow And in my streamfwd.log I have this : 2024-02-12 01:28:47 INFO [140717870847936] (CaptureServer.cpp:817) stream.CaptureServer - Found DataDirectory: /opt/splunkforwarder/etc/apps/Splunk_TA_stream/data 2024-02-12 01:28:47 INFO [140717870847936] (CaptureServer.cpp:823) stream.CaptureServer - Found UIDirectory: /opt/splunkforwarder/etc/apps/Splunk_TA_stream/ui 2024-02-12 01:28:47 INFO [140717870847936] (CaptureServer.cpp:896) stream.CaptureServer - Default configuration directory: /opt/splunkforwarder/etc/apps/Splunk_TA_stream/default 2024-02-12 01:28:53 INFO [140717870847936] (CaptureServer.cpp:1918) stream.CaptureServer - Netflow receiver configuration defined; disabling default automatic promiscuous mode packet capture on all available interfaces. Configure one or more streamfwdcapture parameters in streamfwd.conf to enable network packet capture. 2024-02-12 01:28:53 INFO [140717870847936] (SnifferReactor/SnifferReactor.cpp:327) stream.SnifferReactor - No packet processors configured 2024-02-12 01:28:54 INFO [140717870847936] (CaptureServer.cpp:2001) stream.CaptureServer - Starting data capture 2024-02-12 01:28:54 INFO [140717870847936] (SnifferReactor/SnifferReactor.cpp:161) stream.SnifferReactor - Starting network capture: sniffer 2024-02-12 01:28:54 INFO [140717870847936] (CaptureServer.cpp:2362) stream.CaptureServer - Done pinging stream senders (config was updated) 2024-02-12 01:28:54 INFO [140717870847936] (main.cpp:1109) stream.main - streamfwd has started successfully (version 8.1.1 build afdcef4b) 2024-02-12 01:28:54 INFO [140717870847936] (main.cpp:1111) stream.main - web interface listening on port 8889 But, in my splunk_stream_app I have this :    If anyone can help me to fix this issue, I will be glad to read it.
Here's a step-by-step guide to activating a forwarder server: 1) Install Splunk Universal Forwarder 2) Configure Forwarder 3) Start the Forwarder 4) Monitor Forwarder Status 5) Verify Data Forwa... See more...
Here's a step-by-step guide to activating a forwarder server: 1) Install Splunk Universal Forwarder 2) Configure Forwarder 3) Start the Forwarder 4) Monitor Forwarder Status 5) Verify Data Forwarding
OK. I haven't been following this topic very closely but I have a feeling you extracted the field manually. If so, that makes the search harder because at the time of the initial search you don't ha... See more...
OK. I haven't been following this topic very closely but I have a feeling you extracted the field manually. If so, that makes the search harder because at the time of the initial search you don't have fields extracted yet. But if it's simply a case of searching for another field than the one you're getting your values from, just do " | rename field1 as field2" at the end of your subsearch and you're all set.
Certainly! There are a few stages involved in regenerating SSL certificates for your Windows Splunk instance. Here's a step-by-step guide: 1. Generate a New SSL Certificate - Open a command promp... See more...
Certainly! There are a few stages involved in regenerating SSL certificates for your Windows Splunk instance. Here's a step-by-step guide: 1. Generate a New SSL Certificate - Open a command prompt that has administrator access - Go to the directory of the Splunk bin. It's usually found under C:\Program Files\Splunk\bin. - To create a fresh SSL certificate, utilize the Splunk command-line utility Run the following command Splunk createssl server-cert -d <your_domain_name> 2. Configure Splunk to Use the New Certificate - Go to the directory where Splunk configuration is located. Usually, it can be found at C:\Program Files\Splunk\etc\system\local - Open web.conf in a text editor - To point to the newly generated SSL certificate and private key, update the privKeyPath and serverCert settings [settings] enableSplunkWebSSL = true privKeyPath = C:\Program Files\Splunk\etc\auth\server.pem serverCert = C:\Program Files\Splunk\etc\auth\server.pem 3. Restart Splunk - With administrator rights, open a command prompt - Go to the Splunk bin directory - Use the following command to restart Splunk Splunk restart 4. Test the New SSL Configuration - Open a web browser and use HTTPS to access the Splunk web interface - A green padlock icon signifying a secure connection ought should be visible. To verify that it is the new certificate with a valid expiration date, click on it to examine the certificate details You should be able to use these procedures to for your Windows Splunk instance and make sure that it is connecting securely with the new certificates.
Hi @ITWhisperer , below is the search I am trying search sourcetype="my_source" "failed request, request id=" | rex “failed request, request id==(?<request_id>\”?[\w-]+\”?)” | stats values(reques... See more...
Hi @ITWhisperer , below is the search I am trying search sourcetype="my_source" "failed request, request id=" | rex “failed request, request id==(?<request_id>\”?[\w-]+\”?)” | stats values(request_id) as request_ids | eval request_ids = "\"" . mvjoin(request_ids, "\" OR \"") . "\"" | eval request_ids= replace(request_ids,"^request_id=","") | format  @PickleRick , Sorry I did not follow you. so basically my subsearch gives me list of failed request_ids, then that list will act as input to my main search , and gives me main events, I need to extract different fields related to that req id ( i.e. accountId)
| sort 0 _time | eventstats last(Status) as lastStatus by EquipmentID | where lastStatus!="null" | streamstats last(Status) as previous current=f global=f by EquipmentID | where Status!="null" and pr... See more...
| sort 0 _time | eventstats last(Status) as lastStatus by EquipmentID | where lastStatus!="null" | streamstats last(Status) as previous current=f global=f by EquipmentID | where Status!="null" and previous=="null" | stats last(_time) as lastTime last(lastStatus) as lastStatus by EquipmentID | eval duration=now()-lastTime
Hi, I have the statics table panel created in the dashboard. Please could you help me to reduce the panel width? Thanks.
I see, you are correct I made a mistake in my example events the 120 should indeed be 360. Thanks for catching my mistake
This is different to your original question - using this criteria, with your first set of events, the duration would have been 360 not 120, correct?
Thanks for the reply unfortunately it doesn’t seem to work completely. I have the timerange set to the previous 15 minutes what I think happens is that the query takes the first !=null and starts... See more...
Thanks for the reply unfortunately it doesn’t seem to work completely. I have the timerange set to the previous 15 minutes what I think happens is that the query takes the first !=null and starts the duration from there. I fixed this by adding |sort _time 0 to the top of the query but then it only tracks the time of the last status. I would like for it to track the total time all statuses are  !=null When I use your query I get durations of ~900 seconds while they are between 1-100 When I add the time sort I only get the duration of X and not X+Y (from the following events) Do you happen to know how I get the duration of X+Y? Time EquipmentID Status JobID 12:00 1 X 10 12:01 1 "null" 10 12:02 1 "null" 10 12:03 1 Y 10 12:04 1 Y 10 12:05 1 Y 10 12:06 1 Y 10 12:07 1 X 10 12:08 1 X 10
The reason why this failed on after first run is that you have changed admin password to different that you have configured on your docker conf file. When it try to login into splunk via REST endpoin... See more...
The reason why this failed on after first run is that you have changed admin password to different that you have configured on your docker conf file. When it try to login into splunk via REST endpoint with user and password it cannot as it has old password. You could fix this by changing your current admin password into docker config file and run it again.
Hello experts, for IWSVA , is there any specific sourcetype that we can select.
Why does the URA not update itself efter a scan? I've had several apps installed for more than 2 weeks, and still I get the same message: ---------------------------------------- Details This... See more...
Why does the URA not update itself efter a scan? I've had several apps installed for more than 2 weeks, and still I get the same message: ---------------------------------------- Details This newly installed App has not completed the necessary scan. Version 1.1.6 Application Path /opt/splunk/etc/apps/it_essentials_learn Required Action Please check again in 24 hours when the necessary scan is complete. --------------------------------------- Even if I force a scan, nothing changes.
Ok. There are three ways of resolving this. 1. Preferred - define extractions for the needed fields. It's most probably not the only time you're gonna be using them. 2. Add the subsearch further do... See more...
Ok. There are three ways of resolving this. 1. Preferred - define extractions for the needed fields. It's most probably not the only time you're gonna be using them. 2. Add the subsearch further down the search pipeline. This is a bad idea because you'd he first extracting the field from all events and filtering the events only after that. Waste of resources. 3. Rework your subsearch so that you manually create a set of conditions to be inserted "as is" into the main search and return that as a single value of a field called "search". Both latter solutions are overly complicated and/or inefficient so I'd advise you to properly extract the fields in the first place.
I have a filter of Entity which has token t_entity and in drilldown it has All, C2V ,C2C and Cases . And I have different panels of this which is showing counts. I have a separate panel of C2V counts... See more...
I have a filter of Entity which has token t_entity and in drilldown it has All, C2V ,C2C and Cases . And I have different panels of this which is showing counts. I have a separate panel of C2V counts which I only want to show when it is selected from the filter . Filter name-Entity Token Name- t_entity How is this possible to show a panel when we select it from the filter.
_get_all_passwords is deprecated, please use get_all_passwords_in_realm instead.