All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have 3 panels for dropdown menu. if A is selected  panel 1 shows Search A panel 2 shows Title and the link to URL panel 3 shows Another Search of its own (if "drop down" is selected A) if ... See more...
I have 3 panels for dropdown menu. if A is selected  panel 1 shows Search A panel 2 shows Title and the link to URL panel 3 shows Another Search of its own (if "drop down" is selected A) if B is selected Panel 1 shows Search B  Panel 2 Disappear Panel 3 Disappear if C is selected Panel 1 shows Search C Panel 2 Disappear  Panel 3 Disappear if D is selected Panel 1 shows Search D Panel 2 Disappear  Panel 3 Disappear   <input type="dropdown" token="tokenSearchOption1" searchWhenChanged="true"> <label>Sources</label> <choice value="A">A</choice> <choice value="B">B</choice> <choice value="C">C</choice> <choice value="D">D</choice> <change> <condition value="A"> <set token="tokenSearchQuery"> index= search query A</set> </condition> <condition value="B"> <set token="tokenSearchQuery">index= search query B</set> </condition> <condition value="C"> <set token="tokenSearchQuery">index=search query C</set> </condition> <condition value="D"> <set token="tokenSearchQuery">index= search query D</set> </condition> </change> <initialValue>"A"</initialValue> </input> </panel> </row> <row> <panel id="URL test"> <title>Title URL</title> <html> <!-- <style> .dashboard-row Title .dashboard-panel h2.panel-title { font-size: 40px !important; text-align:left; font-weight:bold; } </style>--> <center> <style>.btn-primary { margin: 5px 10px 5px 0;font-size: 40px !important; }</style> <a href="URL for a website" target="blank" class="btn btn-primary"> Click here </a> </center> </html> </panel> </row> <row> <panel depends=dropdown A> <title>Magic</title> <table> <search> <query>Index=Run this search when drop down A </query> <earliest>$tokTime.earliest$</earliest> <latest>$tokTime.latest$</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="wrap">false</option> </table> </panel>    
Hello, I changed the code to below to show "From and To" in the sample report below 1) Is there a way to change "From" and "To" as Bold font, and leave the rest as regular font 2) Is it possible... See more...
Hello, I changed the code to below to show "From and To" in the sample report below 1) Is there a way to change "From" and "To" as Bold font, and leave the rest as regular font 2) Is it possible to just put the time token ($time.earliest) literally next to From in the dashboard?  3) Does addinfo obtain the data from makeresult, so I don't need to use index and have multiple rows of info_min_time? Thank you for your help | makeresults | fields - _time | addinfo | rename info_min_time as earliest | rename info_max_time as latest | fieldformat earliest="From: " . strftime(earliest,"%b %d %Y %H:%M:%S") | fieldformat latest="To: ". strftime(latest,"%b %d %Y %H:%M:%S") | table earliest latest { "visualizations": { "viz_1putkd4H": { "type": "splunk.table", "options": { "headerVisibility": "none", "backgroundColor": "transparent", "tableFormat": { "rowBackgroundColors": "> table | seriesByIndex(0) | pick(tableAltRowBackgroundColorsByBackgroundColor)", "headerBackgroundColor": "> backgroundColor | setColorChannel(tableHeaderBackgroundColorConfig)", "rowColors": "> rowBackgroundColors | maxContrast(tableRowColorMaxContrast)", "headerColor": "> headerBackgroundColor | maxContrast(tableRowColorMaxContrast)" } }, "dataSources": { "primary": "ds_P8DuhImO" } }, "viz_JKbWkEG0": { "type": "splunk.markdown", "options": { "markdown": "" } }, "viz_c9htuqvf": { "type": "splunk.markdown", "options": { "markdown": "# Sample Report" } }, "viz_lxib04FT": { "type": "splunk.rectangle" }, "viz_Ba02NPRN": { "type": "splunk.rectangle", "options": { "fillColor": "#ffffff" } } }, "dataSources": { "ds_P8DuhImO": { "type": "ds.search", "options": { "query": "| makeresults\n| fields - _time\n| addinfo\n| rename info_min_time as earliest\n| rename info_max_time as latest\n| fieldformat earliest=\"From: \" . strftime(earliest,\"%b %d %Y %H:%M:%S\")\n| fieldformat latest=\"To: \". strftime(latest,\"%b %d %Y %H:%M:%S\")\n| table earliest latest" }, "name": "time_selected" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-24h@h,now" }, "title": "Global Time Range" } }, "layout": { "type": "absolute", "options": { "display": "auto-scale", "height": 1200 }, "structure": [ { "item": "viz_JKbWkEG0", "type": "block", "position": { "x": 170, "y": 110, "w": 300, "h": 300 } }, { "item": "viz_lxib04FT", "type": "block", "position": { "x": 10, "y": 0, "w": 1190, "h": 70 } }, { "item": "viz_c9htuqvf", "type": "block", "position": { "x": 520, "y": 20, "w": 290, "h": 50 } }, { "item": "viz_Ba02NPRN", "type": "block", "position": { "x": 10, "y": 70, "w": 1190, "h": 40 } }, { "item": "viz_1putkd4H", "type": "block", "position": { "x": 320, "y": 70, "w": 620, "h": 60 } } ], "globalInputs": [ "input_global_trp" ] }, "description": "", "title": "studio times" }  
I am installing a new Splunk server on Windows using the trial subscription for now, which may be changed to the free license later.   I have data from another Splunk for Windows server that I would... See more...
I am installing a new Splunk server on Windows using the trial subscription for now, which may be changed to the free license later.   I have data from another Splunk for Windows server that I would like to restore to the new instance.  What is the process for doing that? Thanks, Leo
Hi All,    I am  trying to get ratings and reviews information of an app in Google play store into splunk using website input app. Unlike in apple playstore, I am unable to identify the CSS selec... See more...
Hi All,    I am  trying to get ratings and reviews information of an app in Google play store into splunk using website input app. Unlike in apple playstore, I am unable to identify the CSS selector for the values of reviews and ratings. Could someone please help. TIA  Nithin
I need to find new added hosts using lookup files. The solutions in blog didn't work for me. I will create a lookup file with all my hosts. ( I did) If any new host will be added , it will be disp... See more...
I need to find new added hosts using lookup files. The solutions in blog didn't work for me. I will create a lookup file with all my hosts. ( I did) If any new host will be added , it will be displayed. Any help will be appreciated.  
Hi @Richfez  Yes, I have tried using the '-dedup' option with the value set to 'true' in the fill_summary_index.py script. I've been using the following command for the fill_summary_index.py scri... See more...
Hi @Richfez  Yes, I have tried using the '-dedup' option with the value set to 'true' in the fill_summary_index.py script. I've been using the following command for the fill_summary_index.py script: ./splunk cmd python fill_summary_index.py -app search -name "test report" -et -24h@h -lt now -index raindex -dedup true -auth admin:password I carefully reviewed the documentation and the script before testing, but I couldn't find a solution. If there are any specific parameters or configurations that I might be missing, please guide me on how to use them effectively for preventing duplicate data injection. Your assistance is much appreciated.
Thank you.
No. Splunk distribution does not include redis. Just as it doesn't include Apache httpd. Just because there are several processes on your box running with the same user that is used to run Splunk doe... See more...
No. Splunk distribution does not include redis. Just as it doesn't include Apache httpd. Just because there are several processes on your box running with the same user that is used to run Splunk doesn't necessarily mean they are one software package. Your listing shows that indeed splunk user is used to run several pieces of software but they are independent of Splunk and you should rather ask the person who deployed your server what is going on there (typically you don't use other stuff as splun user so it's a relatively unusual situation).
Ok, now I think I understand. (I had 5 consecutive nights of less than 4 hours of sleep so I'm not my best self :)). Honestly, your main problem is that you have structured data and try to approach ... See more...
Ok, now I think I understand. (I had 5 consecutive nights of less than 4 hours of sleep so I'm not my best self :)). Honestly, your main problem is that you have structured data and try to approach it with simple text extractions. What will happen if you get a quote inside one of those fields? I'd do a completely different thing - mvexpand the mvfield, throw spath on it, then collect the resulting fields into a new field and be done with it (if needed, recombine the results back to mvfields). But if you insist on doing the regexes, don't do it all in one pass. Do one mvmap with replace to "clean up" your data, then extract the fields to your cpe record in another mvmap pass. BTW, why don't you use normal symbols, but those escape codes? It's confusing
It’s not restarting Splunkd, it just reload deployment server DS related configurations. For that reason it’s much faster than restarting splunkd.
OK, the Total_Delivered is defined via labelfield added to addtotalcols command.   So if we run  | appendpipe [| stats sum(File_Count) by Total_Delivered] without addtotalcols labelfield, then st... See more...
OK, the Total_Delivered is defined via labelfield added to addtotalcols command.   So if we run  | appendpipe [| stats sum(File_Count) by Total_Delivered] without addtotalcols labelfield, then stats by from the above will not make any difference.   And if I run it as    |addcoltotals labelfield="Total_Delivered"|appendpipe [| stats sum(File_Count) as TFC by Total_Delivered]   the output is as below   Files | Files_Count | Total_Delivered | TFC| Total_Delivered F1     |     3                   |                           |         | F2     |      5                  |                           |         | F3     |      3                  |                           |         |Total            |      11               | Total                 | 11| Total   Are we expecting the above output please, altho' the view is NOT great, we can use TFC as token in subject to state the value I believe?
When you run the search manually, does it detect any Critical events?  If not, then the alert won't trigger.  Debug the query one pipe at a time to see where it fails to detect the desired events. D... See more...
When you run the search manually, does it detect any Critical events?  If not, then the alert won't trigger.  Debug the query one pipe at a time to see where it fails to detect the desired events. Does the alert write to the Triggering Alerts dashboard?  If so, are you seeing anything there? Is it possible all of the detected events have an ID that were previously reported and are now throttled?
I'm assuming the redis is packaged with your product. Here is the process we run. The splunk id could've been anything. However, the team that manages splunk platform in VZW also uses id splunk to id... See more...
I'm assuming the redis is packaged with your product. Here is the process we run. The splunk id could've been anything. However, the team that manages splunk platform in VZW also uses id splunk to identity original source software. I talked to the splunk team in VZW and he directed me to here. 1. Do you have redis included in one of the splunk products. If yes, please show us how to set the password in one of the clients that connects to redis. splunk 3839 1 0 Dec05 ? 00:31:12 splunkd -p 8089 start splunk 3845 3839 0 Dec05 ? 00:00:00 [splunkd pid=3839] splunkd -p 8089 start [process-runner] splunk 24625 24266 0 Dec06 pts/5 00:00:26 httpd -DFOREGROUND -f /etc/httpd/conf/httpd.conf splunk 24631 24266 0 Dec06 pts/5 00:08:20 php k2_serverDaemon.php splunk 24637 24266 0 Dec06 pts/5 00:04:48 php k2_serverMonitor.php splunk 24643 24266 0 Dec06 pts/5 00:28:43 redis-server *:6379 splunk 24666 24625 0 Dec06 pts/5 00:00:01 httpd -DFOREGROUND -f /etc/httpd/conf/httpd.conf splunk 24667 24625 0 Dec06 pts/5 00:00:02 httpd -DFOREGROUND -f /etc/httpd/conf/httpd.conf splunk 24668 24625 0 Dec06 pts/5 00:00:01 httpd -DFOREGROUND -f /etc/httpd/conf/httpd.conf splunk 24669 24625 0 Dec06 pts/5 00:00:01 httpd -DFOREGROUND -f /etc/httpd/conf/httpd.conf splunk 24670 24625 0 Dec06 pts/5 00:00:02 httpd -DFOREGROUND -f /etc/httpd/conf/httpd.conf splunk 26301 24625 0 Dec07 pts/5 00:00:01 httpd -DFOREGROUND -f /etc/httpd/conf/httpd.conf splunk 26825 24625 0 Dec07 pts/5 00:00:01 httpd -DFOREGROUND -f /etc/httpd/conf/httpd.conf splunk 46601 24625 0 Dec07 pts/5 00:00:02 httpd -DFOREGROUND -f /etc/httpd/conf/httpd.conf splunk 52124 24625 0 Dec07 pts/5 00:00:01 httpd -DFOREGROUND -f /etc/httpd/conf/httpd.conf  
Having issues with fetching investigations in incident review. Investigation is added for the alert but when accessing the alert I get the error "There was an error fetching related investigations... See more...
Having issues with fetching investigations in incident review. Investigation is added for the alert but when accessing the alert I get the error "There was an error fetching related investigations" under related investigations. My assumption is that it is a permissions issue since admins are able to view it with no problems. However it appears that all the permissions that are needed are in place. Any help is greatly appreciated. Follow up question - Is there a way to auto add notables to investigations that share the same artifacts?
Apologies, this was difficult to try to explain via text. I have a MV field and am iterating through it and using a regex to create multiple capture groups, then create a new field using some those ... See more...
Apologies, this was difficult to try to explain via text. I have a MV field and am iterating through it and using a regex to create multiple capture groups, then create a new field using some those capture groups.  That new field is colon separated. Currently, I noticed that within my 3rd capture group, the values within the MV field can sometimes have non-alphanumeric characters which is causing the regex to not match (due to the regex being [\w\s]). So... modify the regex to capture everything!  But... what about when the special character is a colon ( : )?  In that scenario, it will then add an additional colon in my new colon separated field which will make that entry invalid due to nonconformity to the pattern. I thought, why not just get rid of every non-alphanumeric character that will be in the 3rd capture group before I create the new field so there aren't issues.  Which then brought me here as I cannot seem to find a way to do that. Instead, I am now thinking it may be better to simply capture all then clean up the new field instead as that will not be a MV field.  Maybe I can use regex and sed  to eliminate any special characters in the new field, just need to figure out how to account for the case when that character is a colon.  Since its the 3rd capture group, I would need the pattern to have 4 colons before that part of the field and 7 colons after it. cpe:2.3:a:\2:\3:\5:*:*:*:*:*:*:* - \1 - \4  
Hi all, How can we resolve the issue of Cycognito Correlation search not triggering any alerts in Splunk over the past month? index= cycog sourcetype="cycognito:issue" severity="Critical" | stats ... See more...
Hi all, How can we resolve the issue of Cycognito Correlation search not triggering any alerts in Splunk over the past month? index= cycog sourcetype="cycognito:issue" severity="Critical" | stats count, values(affected_asset) as affected_asset, values(title) as title, values(summary) as description, values(severity) as severity, values(confidence) as confidence, values(detection_complexity) as detection_complexity, values("evidence.evidence") as evidence, values(exploitation_method) as exploitation_method, earliest(first_detected) as first_detected, latest(last_detected) as last_detected, values(organizations) as organization by cycognito_id | eval date_found=strptime(first_detected,"%Y-%m-%dT%H:%M:%S.%QZ") | eval control_time = relative_time(now(), "-24h") | where date_found >control_time   Thanks in advance..
Hi @yogeshgs , My splunk cloud instance does not have Data manager app and as per my understanding it ships with instance and cant be installed seperately. Can you guide what to do in this case if ... See more...
Hi @yogeshgs , My splunk cloud instance does not have Data manager app and as per my understanding it ships with instance and cant be installed seperately. Can you guide what to do in this case if I need this Data Manager for my instance. Any response will be appreciated and thanks in advance. 
Hi @burwell ,  Yes, this did fix my issue. I adjusted the default 2p to represent 5 days worth of time in seconds. Now when I check job manager when the alert is triggered, I see the expire time i... See more...
Hi @burwell ,  Yes, this did fix my issue. I adjusted the default 2p to represent 5 days worth of time in seconds. Now when I check job manager when the alert is triggered, I see the expire time is 5 days away now.  Thanks
My data model is searching for all windows logins.  index=* EventCode=4624 OR (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) NOT (user=*$) NOT (user=syst... See more...
My data model is searching for all windows logins.  index=* EventCode=4624 OR (EventCode=4625 OR ((EventCode=4768 OR EventCode=4771 OR EventCode=4776) status="failure")) NOT (user=*$) NOT (user=system) NOT (user=*-*) with this search i get a field called dest_nt_domain.  This field will have results as - Test Test.local other My above search has the rex command to remove everything after the period.  I finally have a kvlookup called Domain with a field of name.  It contains one value - Test.  Im wanting to evaluate the above data vs the one value in my kvlookup.  
Given that per host there are 2 events logged, one indicating transition to active and one indicating transition to inactive.  I cant figure out a query that can accurately do this per host given the... See more...
Given that per host there are 2 events logged, one indicating transition to active and one indicating transition to inactive.  I cant figure out a query that can accurately do this per host given the following stipulations. Given the first event within the query time range, it can be assumed the host was in the opposite state prior. Only calculate transitions between the 2 states, if there are multiple same events within transitions, calculate of the time of the first occuring. Include the latest condition up until the time the search is run.