All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: Send one email to multiple recepients using action.email

by in Alerting
‎01-26-2024 10:55 PM
‎01-26-2024 10:55 PM
@PickleRick : admin@gmail.com will be mentioned in action.email.Cc="admin@gmail.com". action.email.to=$result.owner$ action.email.Cc=admin@gmail.com So, you mean sendemail.py script doesnot ha... See more...
@PickleRick : admin@gmail.com will be mentioned in action.email.Cc="admin@gmail.com". action.email.to=$result.owner$ action.email.Cc=admin@gmail.com So, you mean sendemail.py script doesnot have capability to send one email to different users with all of them in to fields ? We cannot do that ? Regards, PNV

Splunk query help - query for URL that have values other than X,Y,Z

by in Splunk Search
‎01-26-2024 06:04 PM
‎01-26-2024 06:04 PM
Lets say i would like to query for message that has a URL field with values other than X,Y,Z added as query parameters , how do i go about this ? TIA
Labels

Re: Unable to access web UI

by SplunkTrust in Installation
‎01-26-2024 03:28 PM
1 Karma
‎01-26-2024 03:28 PM
1 Karma
Hi you should check if you have disabled web server. See https://docs.splunk.com/Documentation/Splunk/latest/Security/DisableunnecessarySplunkcomponents r. Ismo

Re: Help with Field Extraction

by in Splunk Search
‎01-26-2024 03:03 PM
‎01-26-2024 03:03 PM
When I put in my search like this | rex field=_raw "duser=(?<User>.*?) dvc" I get a new field called UserNameLabel with the value of 'User' not the user field data  

Re: Error: CLIENT_PLUGIN_AUTH is required

by in Splunk AppDynamics
‎01-26-2024 02:33 PM
‎01-26-2024 02:33 PM
I will look into that - question on it - will that affect other Mysql /MariaDB's that are newer? IE - will they still work with an older driver?

Re: Need Help with REGEX for this raw data

by SplunkTrust in Splunk Search
‎01-26-2024 02:23 PM
‎01-26-2024 02:23 PM
I always recommend not to treat structured data such as XML as text.  Regex is usually the last route you want to go because it is not as robust as QA tested Splunk builtin functions such as spath. ... See more...
I always recommend not to treat structured data such as XML as text.  Regex is usually the last route you want to go because it is not as robust as QA tested Splunk builtin functions such as spath. I suspect the posted data is just a snippet and not the complete event.  But the snippet itself looks compliant.  If the raw event is compliant XML, Splunk should have given you fields like Event.System.Computer.  If you don't have that, try set KV_MODE=xml.  If there are other elements in raw event that are not part of XML, e.g., timestamp, log level, etc., you should use rex to extract the compliant XML into a field, say data, then use spath on it. Here is an emulation based on your mock snippet, assuming you have the XML in data. (Replace with _raw if the entire event is XML.)   | makeresults | eval data ="<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/><EventID>8194</EventID><Version>1</Version><Level>5</Level><Task>1</Task><Opcode>16</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2024-01-25T22:00:11.2420989Z'/><EventRecordID>5161615</EventRecordID><Correlation ActivityID='{157f6670-a34e-4258-8c5a-695a5d47a600}'/><Execution ProcessID='6056' ThreadID='5928'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>server.domain</Computer><Security UserID='S-1-5-21-3521695231-3467208260-910013933-395133'/></System><EventData><Data Name='InstanceId'>157f6670-a34e-4258-8c5a-695a5d47a600</Data><Data Name='MaxRunspaces'>1</Data><Data Name='MinRunspaces'>1</Data></EventData>" ``` data emulation above ``` | spath input=data | fields - data _* | transpose column_name=fieldname | rename "row 1" as fieldvalue   This gives fieldname fieldvalue Event.EventData.Data 157f6670-a34e-4258-8c5a-695a5d47a600 1 1 Event.EventData.Data{@Name} InstanceId MaxRunspaces MinRunspaces Event.System.Channel Microsoft-Windows-PowerShell/Operational Event.System.Computer server.domain Event.System.Correlation{@ActivityID} {157f6670-a34e-4258-8c5a-695a5d47a600} Event.System.EventID 8194 Event.System.EventRecordID 5161615 Event.System.Execution{@ProcessID} 6056 Event.System.Execution{@ThreadID} 5928 Event.System.Keywords 0x0 Event.System.Level 5 Event.System.Opcode 16 Event.System.Provider{@Guid} {a0c1853b-5c40-4b15-8766-3cf1c58f985a} Event.System.Provider{@Name} Microsoft-Windows-PowerShell Event.System.Security{@UserID} S-1-5-21-3521695231-3467208260-910013933-395133 Event.System.Task 1 Event.System.TimeCreated{@SystemTime} 2024-01-25T22:00:11.2420989Z Event.System.Version 1 Event{@xmlns} http://schemas.microsoft.com/win/2004/08/events/event Hope this helps.

Unable to access web UI

by Splunk Employee in Installation
‎01-26-2024 02:22 PM
‎01-26-2024 02:22 PM
Hi all, I am new to splunk When I start splunk, it does not show information regarding the web being available to access. Normally at the end there is a meesage saying that the web interface is ava... See more...
Hi all, I am new to splunk When I start splunk, it does not show information regarding the web being available to access. Normally at the end there is a meesage saying that the web interface is available at 127.0.0.0:8000 I just desapeared because I was able to earlier. I dont know if a misconfigured something   Appreciate the help  
Labels

Splunk for LLM Preprocessing?

by in Other Usage
‎01-26-2024 02:11 PM
‎01-26-2024 02:11 PM
The nature of Splunk is for data aggregation and standardization from digests. Could it be possible to utilize it to preprocess data for a large language model?

Re: Error: CLIENT_PLUGIN_AUTH is required

by Community Manager in Splunk AppDynamics
‎01-26-2024 01:48 PM
1 Karma
‎01-26-2024 01:48 PM
1 Karma
Hi @Geoff.Wild, I found some info, it's a few years old, but perhaps it'll point you in a right direction. The error could be due to the JDBC driver not being compatible with the MySQL connector ... See more...
Hi @Geoff.Wild, I found some info, it's a few years old, but perhaps it'll point you in a right direction. The error could be due to the JDBC driver not being compatible with the MySQL connector JDBC driver jar mysql-X.jar file needs to be renamed with a compatible driver file under <DBAgent_install_dir>/lib/ folder. We will need to stop DB agent java process and replace current JDBC driver for MySQL in agent lib folder with compatible JDBC driver and start agent again, see if that information helps. Refer to the forum link below  https://stackoverflow.com/questions/37348572/new-mysql-driver-causes-java-sql-sqlnontransientconnectionexception-client-plug

Re: Help with Field Extraction

by in Splunk Search
‎01-26-2024 01:26 PM
‎01-26-2024 01:26 PM
When I put in my search like this | rex field=_raw "duser=(?<User>.*?) dvc" I get a new field called UserNameLabel with the value of User  

Re: Return "1" if value of a field is greater than "0" for a given range

by SplunkTrust in Splunk Enterprise
‎01-26-2024 01:02 PM
‎01-26-2024 01:02 PM
Assuming dvc is the ip address you mentioned and duration is reset to 1 after determining a range, how can the max be anything other than 1?

Re: Transitioning to virtualized servers and validations

by SplunkTrust in Splunk Enterprise
‎01-26-2024 12:32 PM
‎01-26-2024 12:32 PM
Hi I’m not sure what you are virtualizing and what you want to monitor or are you asking something else? Are you talking about virtualization of splunk infrastructure or are you monitoring your virtu... See more...
Hi I’m not sure what you are virtualizing and what you want to monitor or are you asking something else? Are you talking about virtualization of splunk infrastructure or are you monitoring your virtualization environment like VMware? r. Ismo

Splunk Add-on for DynaTrace

by in All Apps and Add-ons
‎01-26-2024 12:28 PM
‎01-26-2024 12:28 PM
Hi there, I have configured Dynatrace add-on with proxy setup enabled (coz of firewall issue), if I run the dynatrace url using the api token through postman I am getting data for all the endpoints.... See more...
Hi there, I have configured Dynatrace add-on with proxy setup enabled (coz of firewall issue), if I run the dynatrace url using the api token through postman I am getting data for all the endpoints.  But in splunk we are getting connectionpool.py and modinput.py error for the Dynatrace API Version 2 input. DEBUG pid=xxxxx tid=MainThread file=connectionpool.py:_new_conn:1018 DEBUG pid=xxxxx tid=MainThread file=base_modinput.py:log_debug:298 please guide me to fix this issue, thank you  

Re: Need Help with REGEX for this raw data

by SplunkTrust in Splunk Search
‎01-26-2024 12:13 PM
‎01-26-2024 12:13 PM
I assume by break into single lines you mean expand to multiple events? | rex max_match=0 "\<Computer\>(?<computer>[^\<]*)\</Computer\>" | mvexpand computer

Re: Return "1" if value of a field is greater than "0" for a given range

by SplunkTrust in Splunk Enterprise
‎01-26-2024 12:09 PM
‎01-26-2024 12:09 PM
Try something like this |eval duration_range=mvrange(0, duration + duration%3600, 3600) | eval duration = 1 |mvexpand duration_range |eval _time=_time-duration_range |timechart span=1h max(duration)... See more...
Try something like this |eval duration_range=mvrange(0, duration + duration%3600, 3600) | eval duration = 1 |mvexpand duration_range |eval _time=_time-duration_range |timechart span=1h max(duration) by dvc

Need Help with REGEX for this raw data

by in Splunk Search
‎01-26-2024 11:58 AM
‎01-26-2024 11:58 AM
We need to extract the value behind "<Computer>"  I have underlined it to make it easier.  It would also be beneficial to have these broke out into single lines.  Any help is greatly appreciated! ... See more...
We need to extract the value behind "<Computer>"  I have underlined it to make it easier.  It would also be beneficial to have these broke out into single lines.  Any help is greatly appreciated! <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/><EventID>8194</EventID><Version>1</Version><Level>5</Level><Task>1</Task><Opcode>16</Opcode><Keywords>0x0</Keywords><TimeCreated SystemTime='2024-01-25T22:00:11.2420989Z'/><EventRecordID>5161615</EventRecordID><Correlation ActivityID='{157f6670-a34e-4258-8c5a-695a5d47a600}'/><Execution ProcessID='6056' ThreadID='5928'/><Channel>Microsoft-Windows-PowerShell/Operational</Channel><Computer>server.domain</Computer><Security UserID='S-1-5-21-3521695231-3467208260-910013933-395133'/></System><EventData><Data Name='InstanceId'>157f6670-a34e-4258-8c5a-695a5d47a600</Data><Data Name='MaxRunspaces'>1</Data><Data Name='MinRunspaces'>1</Data></EventData><RenderingInfo Culture='en-US'><Message>Creating RunspacePool object 
Labels

Re: Help with Field Extraction

by SplunkTrust in Splunk Search
‎01-26-2024 11:53 AM
‎01-26-2024 11:53 AM
Set your anchors either side of the field extraction | rex "duser=(?<User>.*?) dvc"

Help with Field Extraction

by in Splunk Search
‎01-26-2024 11:45 AM
‎01-26-2024 11:45 AM
Here is my sample data;   start=Dec 30 2023 06:07:47 duser=NT AUTHORITY\SYSTEM dvc=10.163.142.37 I need to extract the full duser information.  Splunk only grabs NT and not the remaining of the ... See more...
Here is my sample data;   start=Dec 30 2023 06:07:47 duser=NT AUTHORITY\SYSTEM dvc=10.163.142.37 I need to extract the full duser information.  Splunk only grabs NT and not the remaining of the string I have the following  Regex via regex101 that works....I am grabbing whatever is between 'duser=' and ' dvc' (?<=duser=)(.*?)(?= dvc) I just don't quite understand how the field extraction part is supposed to work...  I have tried... | rex field=_raw "'(?<User>(?<=duser=)(.*?)(?= dvc))'"  and | rex field=_raw "duser=\s+(?<User>[^\\]*)" No errors, just not getting any data in a User field.   Thanks in advance.    
Labels