All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

thanks @gcusello . Could you help me with below asks? when we run the base query without timewrap, the todays count is only 6 and yesterday count us 19. But, when we run the base query with timewra... See more...
thanks @gcusello . Could you help me with below asks? when we run the base query without timewrap, the todays count is only 6 and yesterday count us 19. But, when we run the base query with timewrap the todays total is 25 and yesterday total is 13.  Splunk Query: basesearch earliest=-7d@d latest=now() | timechart span=1h count | timewrap d series=short | addtotals s* | eval 7dayavg=Total/7.0 | table _time, s0, s1, Total, 7dayavg | rename s0 as Today, s1 as yesterday Results: _time Today yesterday Total 7dayavg 2024-01-31 08:00 0 0 0 0.0 2024-01-31 09:00 0 0 0 0.0 2024-01-31 10:00 2 0 4 0.57
Hi No these are the default ones. The issue i have many tables I want to set for all the APP  Only- not the full Splunk install. I have tried things like below from other answers but i cant ge... See more...
Hi No these are the default ones. The issue i have many tables I want to set for all the APP  Only- not the full Splunk install. I have tried things like below from other answers but i cant get it to work. https://community.splunk.com/t5/Dashboards-Visualizations/Are-there-different-dashboard-colors-since-update-to-9-0-2/m-p/629683
How are you currently configuring the colours for this table?
Hi For a table how can I get back to 8.0 colors the 9.0 are very bright.  
Hi According to the Splunk Docs from version 9.1: "the installer creates a virtual account as a "least privileged" user called splunkfwd" After an upgrade to version 9.1.2 I am having trouble with... See more...
Hi According to the Splunk Docs from version 9.1: "the installer creates a virtual account as a "least privileged" user called splunkfwd" After an upgrade to version 9.1.2 I am having trouble with the UF autostarting. Looking at Windows Event Logs I can see the following error: Which suggests the account is actually "SplunkForwarder" not "splunkfwd" When I check the Windows Service Log On user I also see the user "SplunkForwarder":   And "SplunkForwarder" is also the only Splunk related user I can see when I run the following command to list all users: get-service | foreach {Write-Host NT Service\$($_.Name)}   Can someone confirm that the Doc is incorrect and the virtual account created is in fact SplunkForwarder? Or is "splunkfwd" created somewhere else?   Thanks  
HF1 is with sender Add-on and configured outputs.conf with udp and input ip interface (default configurations) - Not working  We have checked the connectivity with command "nc -vzu host port " the u... See more...
HF1 is with sender Add-on and configured outputs.conf with udp and input ip interface (default configurations) - Not working  We have checked the connectivity with command "nc -vzu host port " the udp port and its showing open any ideas !!!
HI After trying this is does not work sorry - any other ideas?   Thanks Robert
Hi @selvam_sekar, did you explored the timewrap command at https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Timewrap ? Ciao. Giuseppe
I have a challenge:  When somebody are doing changes to our AD, it is done using a cyberark account. In order to finde the person behind the cyberark account, i need to go back and find the event we... See more...
I have a challenge:  When somebody are doing changes to our AD, it is done using a cyberark account. In order to finde the person behind the cyberark account, i need to go back and find the event were a person checks out an account.  So i have and AD change at 01.27 with user=pam-serveradmin01   and from cyberark at 01.05 account=pam-serveradmin and user=clt How would you build this query 
{ "visualizations": { "viz_1putkd4H": { "type": "splunk.table", "options": {}, "dataSources": { "primary": "ds_P8DuhImO" } } }, "dataSources": { "ds_P8DuhImO": { "type": "... See more...
{ "visualizations": { "viz_1putkd4H": { "type": "splunk.table", "options": {}, "dataSources": { "primary": "ds_P8DuhImO" } } }, "dataSources": { "ds_P8DuhImO": { "type": "ds.search", "options": { "query": "| makeresults\n| fields - _time\n| addinfo\n| rename info_min_time as earliest\n| rename info_max_time as latest\n| fieldformat earliest=strftime(earliest,\"%F %T\")\n| fieldformat latest=strftime(latest,\"%F %T\")\n| table earliest latest" }, "name": "time_selected" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "$global_time.latest$", "earliest": "$global_time.earliest$" } } } } }, "inputs": { "input_global_trp": { "type": "input.timerange", "options": { "token": "global_time", "defaultValue": "-24h@h,now" }, "title": "Global Time Range" } }, "layout": { "type": "absolute", "options": { "display": "auto-scale", "height": 1200 }, "structure": [ { "item": "viz_1putkd4H", "type": "block", "position": { "x": 0, "y": 0, "w": 1200, "h": 90 } } ], "globalInputs": [ "input_global_trp" ] }, "description": "", "title": "studio times" }
Totally agree. I value everyone's contribution and restricting my question only to a certain individual will only delay or prolong the process. Apologies for that. This won't be repeated. Let me try ... See more...
Totally agree. I value everyone's contribution and restricting my question only to a certain individual will only delay or prolong the process. Apologies for that. This won't be repeated. Let me try @gcusello's solution and get back! Thanks guys!
It looks like @gcusello has provided a good answer - It is probably best not to call out individuals when first posing a question; we are all volunteers here and you don't know when the requested vol... See more...
It looks like @gcusello has provided a good answer - It is probably best not to call out individuals when first posing a question; we are all volunteers here and you don't know when the requested volunteer is going to be available, and others may feel that they shouldn't answer when the question is directed to particular volunteers (do you not value others' contributions?)
Hi @koyachi, you can list all the Forwarders that sent logs in a period (e.g. 90 days) and that don't send logs from 7 days using a search like the following | tstats count latest(_time) AS latest ... See more...
Hi @koyachi, you can list all the Forwarders that sent logs in a period (e.g. 90 days) and that don't send logs from 7 days using a search like the following | tstats count latest(_time) AS latest WHERE earliest=-90d@d latest=now BY host | where latest<now()-(86400*7) | eval latest=strftime(latest,"%Y-%m-%d %H:%M:%S") | table host latest Obviously, you can use the time periods you need in this search. Ciao. Giuseppe
Is there a way to do this already? Stuck at the exact same point.
If I understand correctly, you want to extract with the special character into new_field, so that you can replace the special characters more easily? Try something like this | eval new = if(sourcet... See more...
If I understand correctly, you want to extract with the special character into new_field, so that you can replace the special characters more easily? Try something like this | eval new = if(sourcetype=="custom:data", mvmap(old_field,replace(old_field,"\x7b.*?\x22bundle\x22\x3a\s+\x22((?:net|jp|uk|fr|se|org|com|gov)\x2e(\w+)\x2e.*?)\x22.*?name\x22\x3a(?:\s+)?\x22([^\x22]+)\x22.*?\x22sw_uid\x22\x3a(?:\s+)?\x22(([a-fA-F0-9]+)|[\w_:]+)\x22.*?\x22version\x22\x3a(?:\s+)?\x22(.*?)\x22.*$","cpe:2.3:a:\2:\3:\5:*:*:*:*:*:*:* - \1 - \4")),new) Note that there was also a mistake in the fourth group as this should not have been a non-capture group.
Hi Folks, We have thousands of universal forwarders that are currently running on old version (7.0.2). We are planning to upgrade universal forwarders to most recent version but before we do that we... See more...
Hi Folks, We have thousands of universal forwarders that are currently running on old version (7.0.2). We are planning to upgrade universal forwarders to most recent version but before we do that we would like to reduce the overall footprint of universal forwarders by uninstalling them from the servers that are no longer sending logs.  Logs for few applications and infrastructure are migrated to Azure so they are no longer sending it to splunk. Need to find a list of such servers so i can uninstall them before i do mass upgrade. Is there a query that can give me the list of hostname along with timestamp of last log that it sent. Thanks in advance
1. Do you use indexed extractions or not? 2. Do you have time extraction properly configured (TIME_PREFIX, TIME_FORMAT, MAX_TIMESTAMP_LOOKAHEAD)?
Are you sure that the file is _rotated_ (as in renamed and compressed)? Because that behaviour is pretty consistent with the "copytruncate" behaviour of logrotate when the contents of the file are co... See more...
Are you sure that the file is _rotated_ (as in renamed and compressed)? Because that behaviour is pretty consistent with the "copytruncate" behaviour of logrotate when the contents of the file are copied out to a new file and the file is truncated afterwards. In such case the file descriptor does not change but Splunk suddenly finds itself after the end of the data so most probably assumes that it had already read all the data there was.
Ok. It is binary on the wire. It's just escaped either on input or when being presented in search (I never remember if Splunk does escape such stuff or input or stores it raw). You can just run the ... See more...
Ok. It is binary on the wire. It's just escaped either on input or when being presented in search (I never remember if Splunk does escape such stuff or input or stores it raw). You can just run the tcpdump  on the Splunk's side - it should be the same of course