All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @bhavesh0124, sorry bu it isn't possible: Splunk isn't Excel in which you can collapse two cells in one. Ciao. Giuseppe
Hello All, I have created an Alert with the following query, Issue I'm having here is, I'm not receiving email alert even if the condition is met and events are returned.   | dbxquery query="SELEC... See more...
Hello All, I have created an Alert with the following query, Issue I'm having here is, I'm not receiving email alert even if the condition is met and events are returned.   | dbxquery query="SELECT eventTriggeredDate, APPLICATION_NAME, APPLICATION_NAMEENV, APPLICATION_GROUP, eventChain, eventType, eventMessage, eventMod, eventRule, eventSeverity FROM Admin.console.v_ES_RelevantEvents55 WHERE eventTriggeredDays <= 7 AND (APPLICATION_NAME='ABC_PRD' OR APPLICATION_NAME='XYZ-PRD') AND APPLICATION_NAMEENV='PRD'" connection="TESTING_DEV" | lookup users_email.csv "Application Name" as APPLICATION_NAME OUTPUT "Admin email" as Admin_email "QA email" as QA_email "Developers email" as Developers_email | lookup policy_details.csv policy_name as eventRule OUTPUT policy_description | eval users_mail = Admin_email.",".Developers_email.",".QA_email | stats count as Total_Events values(eventChain) as "Event Policy/Rule" values(eventType) as "Event Type" values(eventMod) as "Event Mod/Policy" values(eventRule) as "Event Rule" values(users_mail) as users_mail values(eventMessage) as eventMessage values(policy_description) as policy_description by APPLICATION_NAME, eventSeverity | eval eventMessage=mvindex(eventMessage, 0, 20) | where Total_Events > 10 | table APPLICATION_NAME, Total_Events, eventSeverity, "Event Type", "Event Rule", users_mail, eventMessage, policy_description | rename APPLICATION_NAME as application_name, Total_Events as number_of_events, eventSeverity as event_severity, "Event Type" as event_type, "Event Rule" as event_rule, eventMessage as event_message   I have given email list as $result.users_mail$, the values from the filed users_mail. I see the alert being triggered but i don't receive an email. Also is there a way we can add external links to the Splunk Alerts?
I am trying to filter my search results where only a particular subset of the results should be shown. Example suppose if below is the intermediate search result.  MESSAGE: Records::0 MESSAGE: Reco... See more...
I am trying to filter my search results where only a particular subset of the results should be shown. Example suppose if below is the intermediate search result.  MESSAGE: Records::0 MESSAGE: Records::1 MESSAGE: Records::0 MESSAGE: Records::4 Final search results should contain only where the records are greater than 0. Is there any query which can help with this?
duser=NT AUTHORITY\SYSTEM dvc=10.10.10.10 rt=Jan 29 2024 04:41:24 dhost=abcd.efgh.com SHA-1=Not available MD5=Not available Size=Not available content=0x00000001 (1) contentLabel=Current Version Cont... See more...
duser=NT AUTHORITY\SYSTEM dvc=10.10.10.10 rt=Jan 29 2024 04:41:24 dhost=abcd.efgh.com SHA-1=Not available MD5=Not available Size=Not available content=0x00000001 (1) contentLabel=Current Version Content timezone=Pacific Standard Time I want to be able to pull out the duser, dvc, dhost etc.  Focusing on the duser ATM because it is giving me the most grief because of the space in the value.  If I can get one to work, I can get the rest working.   The search so far is simple; index="abc"  | rex field=_raw "duser=(?P<User>.*?) dvc" | table User      
Thanks for the clarification, but the regex you provided still doesn't match the data.  Did you try the one I gave?
Hi,  I want to get rid of columns which have single unique value. There could be multiple columns showing this behavior.  Test Value1 Value2 Value3 Value4 Test1 2 b a 7 Test2 1 c... See more...
Hi,  I want to get rid of columns which have single unique value. There could be multiple columns showing this behavior.  Test Value1 Value2 Value3 Value4 Test1 2 b a 7 Test2 1 c a 7   I want to get rid of columns "Value3" and "Value4" since they have only one unique value across.   @gcusello @ITWhisperer @scelikok @PickleRick     
Any specfic example query please to use this 
Hi! I'm also getting this problem. Any ideas on how to solve it? Regards. Jorge
#mission_control, # splunk cloud Hi  In my org primarily Mission Control events are investigated by SOC as soon as they pop up, if futher investigation is needed the incident is escalated to Enterp... See more...
#mission_control, # splunk cloud Hi  In my org primarily Mission Control events are investigated by SOC as soon as they pop up, if futher investigation is needed the incident is escalated to Enterprise security TEAM who is responsible to perform deeper/detailed investigation and update back in Mission Control.  USE CASE:  The enterprise security manger wants a DASHBOARD which will inform him about :  if the investigation is being performed by his team (ES)> how much average time his team member takes to resolve an incident > averaged over a month.   For ES team I have lookup file or also I can type there name(Only 7-8 people) > I NEED A QUERY WHICH WILL EVALUATE WHEN assigne=(tom,tim,xyz) , difference between update_time & create_time , averaged out over month.  Field we have : | mcincidents   add_response_stats=true | eval create_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p") | eval update_time=strtime(create_time, "%m/%d%Y %I:%M:%S %p") | table assigne, create_time, update_time, description, disposition, id, incident_type, name, sensitivity, source_type, summary
  got nasty gram for posting links search online for freeload101 github in scripts Splunk_UniversalForwarder_Installer.bash
Actually the field abcd is already extracted but that field contains all the values including credit card number and expiry date example like below: abcd="n required YES Accommodation [Bucharest... See more...
Actually the field abcd is already extracted but that field contains all the values including credit card number and expiry date example like below: abcd="n required YES Accommodation [Bucharest] 5 Nights – Novotel Bucharest HDFC Master card number 1234 4567 0002 4786 Expiry Date of HDFC card 02/28 Any other relevant info Thanks and Regards, santhosh. From" abcd="n required YES Accommodation [Bucharest] 5 Nights – Novotel Bucharest HDFC Master card number 2345 3333 0012 0405 Expiry Date of HDFC card 06/29 Any other relevant info QATAR FARE IS INR 122645 /-ONWARD" abcd="n required YES Accommodation [Bucharest] 6 Nights – Novotel Bucharest HDFC Master card number 2323 2324 0010 0600 Expiry Date of HDFC card 06/34 Any other relevant info [cid:image001.png@01DA4ACD.FF6" so the data already extracted in one field called abcd , so I want to mask credit card number except last 4 digits and expiry date.
Hi man03359, I'd say nothing wrong with being a noob, we all are at some point, continuously. To your question, while perhaps not quite directly responsive: you might want to create tags (and revie... See more...
Hi man03359, I'd say nothing wrong with being a noob, we all are at some point, continuously. To your question, while perhaps not quite directly responsive: you might want to create tags (and review the exisitng ones) for certain types of data that you know lies in different indexes and sourcetypes. This can be a way of creating a searchable correlation that is properly time-indexed; and then you can pivot to the specific index/sourcetype. Some explanation on tagging/eventypes here:  what is the basic difference between tags and even... - Splunk Community About tags and aliases - Splunk Documentation About event types - Splunk Documentation
The cited SEDCMD is looking for the literal text "abcd=", which doesn't exist in the sample event.  Therefore, the card number will not be masked.  It's also looking for groups of 4 digits separated ... See more...
The cited SEDCMD is looking for the literal text "abcd=", which doesn't exist in the sample event.  Therefore, the card number will not be masked.  It's also looking for groups of 4 digits separated by hyphens, which also is not in the sample event.  SEDCMD looks at the raw event rather than  a specific field. Try this SEDCMD=accmasking = s/card number \d{4} \d{4} \d{4} (\d{4})/card number xxxx xxxx xxxx \1/  
My company flagged redis being vulnerable to security because requirepass is not enabled. How do I enable it and give the password to the clients that connect to the redis?
How to display top 10 and replace the rest with others? I tried using   top limit 5 with userother, but the number didn't match and showed other fields like count, percent and _tc.  This is just ... See more...
How to display top 10 and replace the rest with others? I tried using   top limit 5 with userother, but the number didn't match and showed other fields like count, percent and _tc.  This is just an example.  I have a lot of fields and rows in real data  Thank  you for your help | addcoltotals labelfield=Name | top limit=5 userother=t Name Score ==> number didn't match Before Expense Name Score 1 Rent 2000 2 Car 1000 3 Insurance 700 4 Food 500 5 Education 400 6 Utility 200 7 Entertainment 100 8 Gym 70 9 Charity 50 10 Total 5020 After Expense Name Score 1 Rent 2000 2 Car 1000 3 Insurance 700 4 Food 500 5 Education 400 6 Others 420 7 Total 5020
Argh. This is a case of a very badly prepared data. And without external manipulation you won't get it into Splunk (or parse it after ingestion). The <Data> part of your data is so ugly organized - t... See more...
Argh. This is a case of a very badly prepared data. And without external manipulation you won't get it into Splunk (or parse it after ingestion). The <Data> part of your data is so ugly organized - there is no explicit relationship between the <ColumnNames> and <DataRows>. Whoever thought about preparing data in this format did it very very wrong. Even if you were to manipulate it with a solution different than Splunk you'd have a hard time to compose those associations between column names and their values because of the need to externally keep the order of those values.
You can extend this search from _audit index to find those searches that have result_count=0. But to be fully honest, it seems like a case of underdocumenticitis - when you have no control over what... See more...
You can extend this search from _audit index to find those searches that have result_count=0. But to be fully honest, it seems like a case of underdocumenticitis - when you have no control over what your users do and have no documentation for it. And that's the root cause of your problem.
Hi ,   I have two sets of JSON data. I want to find the keys which are unique in one dataset and also keys which are missing in the same in comparison with the other dataset. My first data set ... See more...
Hi ,   I have two sets of JSON data. I want to find the keys which are unique in one dataset and also keys which are missing in the same in comparison with the other dataset. My first data set looks as below :   { "iphone": { "price" : "50", "review" : "Good" }, "desktop": { "price" : "80", "review" : "OK" }, "laptop": { "price" : "90", "review" : "OK" } } My second data set looks as below : { "tv": { "price" : "50", "review" : "Good" }, "desktop": { "price" : "60", "review" : "OK" } } Therefore, for the first data set (w.r.t second data set): unique values will be :  iphone and laptop and missing values will be : tv  How can I find out this difference and show then in a table with columns like "uniq_value" and "missing_value" I could only write the query up to this , but this is half part and not what I want: index=product_db | |eval p_name=json_array_to_mv(json_keys(_raw)) |eval p_name = mvfilter(NOT match(p_name, "uploadedBy") AND NOT match(p_name, "time") | mvexpand p_name| table p_name Thanks
This was very helpful. Thank you so much!
Even though I configured in AWS correctly I am getting this error in Splunk Metric event data without a metric name and properly formated numerical values are invalid and cannot be indexed. Ensure... See more...
Even though I configured in AWS correctly I am getting this error in Splunk Metric event data without a metric name and properly formated numerical values are invalid and cannot be indexed. Ensure the input metric data is not malformed, have one or more keys of the form "metric_name:< metric > " (e.g..."metric_name:cpu.idle") with corresponding floating point values.