Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
02-01-2024
04:29 AM
thanks @gcusello . Could you help me with below asks? when we run the base query without timewrap, the todays count is only 6 and yesterday count us 19. But, when we run the base query with timewra...
See more...
thanks @gcusello . Could you help me with below asks? when we run the base query without timewrap, the todays count is only 6 and yesterday count us 19. But, when we run the base query with timewrap the todays total is 25 and yesterday total is 13. Splunk Query: basesearch earliest=-7d@d latest=now() | timechart span=1h count | timewrap d series=short | addtotals s* | eval 7dayavg=Total/7.0 | table _time, s0, s1, Total, 7dayavg | rename s0 as Today, s1 as yesterday Results: _time Today yesterday Total 7dayavg 2024-01-31 08:00 0 0 0 0.0 2024-01-31 09:00 0 0 0 0.0 2024-01-31 10:00 2 0 4 0.57
02-01-2024
03:28 AM
Hi No these are the default ones. The issue i have many tables I want to set for all the APP Only- not the full Splunk install. I have tried things like below from other answers but i cant ge...
See more...
Hi No these are the default ones. The issue i have many tables I want to set for all the APP Only- not the full Splunk install. I have tried things like below from other answers but i cant get it to work. https://community.splunk.com/t5/Dashboards-Visualizations/Are-there-different-dashboard-colors-since-update-to-9-0-2/m-p/629683
02-01-2024
03:23 AM
How are you currently configuring the colours for this table?
02-01-2024
03:08 AM
Hi For a table how can I get back to 8.0 colors the 9.0 are very bright.
Labels
- Labels:
-
panel
02-01-2024
02:48 AM
Hi According to the Splunk Docs from version 9.1: "the installer creates a virtual account as a "least privileged" user called splunkfwd" After an upgrade to version 9.1.2 I am having trouble with...
See more...
Hi According to the Splunk Docs from version 9.1: "the installer creates a virtual account as a "least privileged" user called splunkfwd" After an upgrade to version 9.1.2 I am having trouble with the UF autostarting. Looking at Windows Event Logs I can see the following error: Which suggests the account is actually "SplunkForwarder" not "splunkfwd" When I check the Windows Service Log On user I also see the user "SplunkForwarder": And "SplunkForwarder" is also the only Splunk related user I can see when I run the following command to list all users: get-service | foreach {Write-Host NT Service\$($_.Name)} Can someone confirm that the Doc is incorrect and the virtual account created is in fact SplunkForwarder? Or is "splunkfwd" created somewhere else? Thanks
- Tags:
- user
Labels
- Labels:
-
universal forwarder
02-01-2024
02:42 AM
HF1 is with sender Add-on and configured outputs.conf with udp and input ip interface (default configurations) - Not working We have checked the connectivity with command "nc -vzu host port " the u...
See more...
HF1 is with sender Add-on and configured outputs.conf with udp and input ip interface (default configurations) - Not working We have checked the connectivity with command "nc -vzu host port " the udp port and its showing open any ideas !!!
Labels
- Labels:
-
heavy forwarder
02-01-2024
02:38 AM
HI After trying this is does not work sorry - any other ideas? Thanks Robert
02-01-2024
02:27 AM
Hi @selvam_sekar, did you explored the timewrap command at https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Timewrap ? Ciao. Giuseppe
02-01-2024
02:22 AM
I have a challenge: When somebody are doing changes to our AD, it is done using a cyberark account. In order to finde the person behind the cyberark account, i need to go back and find the event we...
See more...
I have a challenge: When somebody are doing changes to our AD, it is done using a cyberark account. In order to finde the person behind the cyberark account, i need to go back and find the event were a person checks out an account. So i have and AD change at 01.27 with user=pam-serveradmin01 and from cyberark at 01.05 account=pam-serveradmin and user=clt How would you build this query
Labels
- Labels:
-
subsearch
02-01-2024
02:02 AM
1 Karma
{
"visualizations": {
"viz_1putkd4H": {
"type": "splunk.table",
"options": {},
"dataSources": {
"primary": "ds_P8DuhImO"
}
}
},
"dataSources": {
"ds_P8DuhImO": {
"type": "...
See more...
{
"visualizations": {
"viz_1putkd4H": {
"type": "splunk.table",
"options": {},
"dataSources": {
"primary": "ds_P8DuhImO"
}
}
},
"dataSources": {
"ds_P8DuhImO": {
"type": "ds.search",
"options": {
"query": "| makeresults\n| fields - _time\n| addinfo\n| rename info_min_time as earliest\n| rename info_max_time as latest\n| fieldformat earliest=strftime(earliest,\"%F %T\")\n| fieldformat latest=strftime(latest,\"%F %T\")\n| table earliest latest"
},
"name": "time_selected"
}
},
"defaults": {
"dataSources": {
"ds.search": {
"options": {
"queryParameters": {
"latest": "$global_time.latest$",
"earliest": "$global_time.earliest$"
}
}
}
}
},
"inputs": {
"input_global_trp": {
"type": "input.timerange",
"options": {
"token": "global_time",
"defaultValue": "-24h@h,now"
},
"title": "Global Time Range"
}
},
"layout": {
"type": "absolute",
"options": {
"display": "auto-scale",
"height": 1200
},
"structure": [
{
"item": "viz_1putkd4H",
"type": "block",
"position": {
"x": 0,
"y": 0,
"w": 1200,
"h": 90
}
}
],
"globalInputs": [
"input_global_trp"
]
},
"description": "",
"title": "studio times"
}
02-01-2024
01:56 AM
Totally agree. I value everyone's contribution and restricting my question only to a certain individual will only delay or prolong the process. Apologies for that. This won't be repeated. Let me try ...
See more...
Totally agree. I value everyone's contribution and restricting my question only to a certain individual will only delay or prolong the process. Apologies for that. This won't be repeated. Let me try @gcusello's solution and get back! Thanks guys!
02-01-2024
01:44 AM
2 Karma
It looks like @gcusello has provided a good answer - It is probably best not to call out individuals when first posing a question; we are all volunteers here and you don't know when the requested vol...
See more...
It looks like @gcusello has provided a good answer - It is probably best not to call out individuals when first posing a question; we are all volunteers here and you don't know when the requested volunteer is going to be available, and others may feel that they shouldn't answer when the question is directed to particular volunteers (do you not value others' contributions?)
02-01-2024
01:41 AM
Hi @koyachi, you can list all the Forwarders that sent logs in a period (e.g. 90 days) and that don't send logs from 7 days using a search like the following | tstats count latest(_time) AS latest ...
See more...
Hi @koyachi, you can list all the Forwarders that sent logs in a period (e.g. 90 days) and that don't send logs from 7 days using a search like the following | tstats count latest(_time) AS latest WHERE earliest=-90d@d latest=now BY host
| where latest<now()-(86400*7)
| eval latest=strftime(latest,"%Y-%m-%d %H:%M:%S")
| table host latest Obviously, you can use the time periods you need in this search. Ciao. Giuseppe
02-01-2024
01:20 AM
If I understand correctly, you want to extract with the special character into new_field, so that you can replace the special characters more easily? Try something like this | eval new = if(sourcet...
See more...
If I understand correctly, you want to extract with the special character into new_field, so that you can replace the special characters more easily? Try something like this | eval new = if(sourcetype=="custom:data", mvmap(old_field,replace(old_field,"\x7b.*?\x22bundle\x22\x3a\s+\x22((?:net|jp|uk|fr|se|org|com|gov)\x2e(\w+)\x2e.*?)\x22.*?name\x22\x3a(?:\s+)?\x22([^\x22]+)\x22.*?\x22sw_uid\x22\x3a(?:\s+)?\x22(([a-fA-F0-9]+)|[\w_:]+)\x22.*?\x22version\x22\x3a(?:\s+)?\x22(.*?)\x22.*$","cpe:2.3:a:\2:\3:\5:*:*:*:*:*:*:* - \1 - \4")),new) Note that there was also a mistake in the fourth group as this should not have been a non-capture group.
02-01-2024
01:04 AM
Hi Folks, We have thousands of universal forwarders that are currently running on old version (7.0.2). We are planning to upgrade universal forwarders to most recent version but before we do that we...
See more...
Hi Folks, We have thousands of universal forwarders that are currently running on old version (7.0.2). We are planning to upgrade universal forwarders to most recent version but before we do that we would like to reduce the overall footprint of universal forwarders by uninstalling them from the servers that are no longer sending logs. Logs for few applications and infrastructure are migrated to Azure so they are no longer sending it to splunk. Need to find a list of such servers so i can uninstall them before i do mass upgrade. Is there a query that can give me the list of hostname along with timestamp of last log that it sent. Thanks in advance
Labels
- Labels:
-
universal forwarder
01-31-2024
11:36 PM
1. Do you use indexed extractions or not? 2. Do you have time extraction properly configured (TIME_PREFIX, TIME_FORMAT, MAX_TIMESTAMP_LOOKAHEAD)?
01-31-2024
11:32 PM
Are you sure that the file is _rotated_ (as in renamed and compressed)? Because that behaviour is pretty consistent with the "copytruncate" behaviour of logrotate when the contents of the file are co...
See more...
Are you sure that the file is _rotated_ (as in renamed and compressed)? Because that behaviour is pretty consistent with the "copytruncate" behaviour of logrotate when the contents of the file are copied out to a new file and the file is truncated afterwards. In such case the file descriptor does not change but Splunk suddenly finds itself after the end of the data so most probably assumes that it had already read all the data there was.
01-31-2024
11:27 PM
Ok. It is binary on the wire. It's just escaped either on input or when being presented in search (I never remember if Splunk does escape such stuff or input or stores it raw). You can just run the ...
See more...
Ok. It is binary on the wire. It's just escaped either on input or when being presented in search (I never remember if Splunk does escape such stuff or input or stores it raw). You can just run the tcpdump on the Splunk's side - it should be the same of course
