All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, Bellow is the solution for your question. 1. /opt/log/syslog-ng-sample.log May 13 15:09:09 1.2.3.4 sim: logging for test   2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv host,host_value... See more...
Hello, Bellow is the solution for your question. 1. /opt/log/syslog-ng-sample.log May 13 15:09:09 1.2.3.4 sim: logging for test   2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv host,host_value 1.2.3.4,myhostname  3. /opt/splunk/etc/apps/myapp/local/props.conf [mysourcetype] TRANSFORMS-host_override = host_override   4. /opt/splunk/etc/apps/myapp/local/transforms.conf [host_override] INGEST_EVAL = host=replace(_raw, "^\w+\s+\d+\s+\d+:\d+:\d+\s+([^ ]+)\s+.*", "\1"), hostname=host, host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value") 5. Result  
@Skins , @moja Hello, Bellow is the solution for your question. 1.  /opt/log/syslog-ng-sample.log May 13 15:09:09 1.2.3.4 sim: logging for test   2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv ... See more...
@Skins , @moja Hello, Bellow is the solution for your question. 1.  /opt/log/syslog-ng-sample.log May 13 15:09:09 1.2.3.4 sim: logging for test   2. /opt/splunk/etc/apps/myapp/lookups/lookup.csv host,host_value 1.2.3.4,myhostname    3. /opt/splunk/etc/apps/myapp/local/props.conf [mysourcetype] TRANSFORMS-host_override = host_override   4. /opt/splunk/etc/apps/myapp/local/transforms.conf [host_override] INGEST_EVAL = host=replace(_raw, "^\w+\s+\d+\s+\d+:\d+:\d+\s+([^ ]+)\s+.*", "\1"), hostname=host,host=json_extract(lookup("lookup.csv",json_object("host",host),json_array("host_value")),"host_value")   5. Result
Hi @livehybrid  I have tested and it seems working fine, although I got few issues like getting "Invalid array length" (I had to refresh browser to fix this), and table displaying all rows, instea... See more...
Hi @livehybrid  I have tested and it seems working fine, although I got few issues like getting "Invalid array length" (I had to refresh browser to fix this), and table displaying all rows, instead of the number of row I specified (rows displayed = 10). The invalid array length is intermittent I have some follow-up questions just to make sure I understand. Thank you for your help. 1. a. Is there a limitation on the number of data source?      b. In my case,  I need to change like the following, correct?         "ds_index1" : "ds_index1"    (not "search1" : "ds_index1")          Can you explain what this mean: ds_index1" : "ds_index1"?     b. ds_xxxx is a random character created by Splunk, do you usually change it to readable format, or you just leave it?   (which one is best practice)     c. I also need to change $mysearch$ to $datasource_token$, correct? "viz_gE0iilm3": { "dataSources": { "primary": "ds_index1", "ds_index1": "ds_index1", "ds_index2": "ds_index2" }, "options": { "table": "> $datasource_token$" }, "type": "splunk.table" }  I was trying to choose the token when clicking single value. Please let me know if this is correct { "type": "splunk.singlevalue", "dataSources": { "primary": "ds_singlevalue1" }, "title": "Single Value 1", "eventHandlers": [ { "type": "drilldown.setToken", "options": { "tokens": [ { "token": "datasource_token", "value": "ds_index1" } ] } } ] } { "type": "splunk.singlevalue", "dataSources": { "primary": "ds_singlevalue2" }, "title": "Single Value 2", "eventHandlers": [ { "type": "drilldown.setToken", "options": { "tokens": [ { "token": "datasource_token", "value": "ds_index2" } ] } } ], }   Also, it doesn't load at the beginning, so I need to put the default token. Is this correct? "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "latest": "-24h@h", "earliest": "now" } } } }, "tokens": { "default": { "datasource_token": { "value": "ds_index1" } } }  
I need to find whether the string ["foobar"] exists in a log message.  I have a search query like some stuff | eval hasFoobar = case(_raw LIKE "%\"foobar%", "Y") | eval hasFoobar = if(hasFoobar = ... See more...
I need to find whether the string ["foobar"] exists in a log message.  I have a search query like some stuff | eval hasFoobar = case(_raw LIKE "%\"foobar%", "Y") | eval hasFoobar = if(hasFoobar = "Y", "YES", "NO") | table message, hasFoobar which gives YESes as expected. If I add a square bracket, whether escaped or not, I only get NOes.  E.g., some stuff | eval hasFoobar = case(_raw LIKE "%[\"foobar%", "Y") | eval hasFoobar = if(hasFoobar = "Y", "YES", "NO") | table message, hasFoobar some stuff | eval hasFoobar = case(_raw LIKE "%\[\"foobar%", "Y") | eval hasFoobar = if(hasFoobar = "Y", "YES", "NO") | table message, hasFoobar   Any advice?  
When a UF sends data via HTTP it uses the Splunk-to-Splunk protocol, which logstash doesn't support.
Can you fully expand an example of the search. I assume Channel a visible field in the event list? Have you explicitly specified Channel as a field in the SPL?
Hello Experts ,  I am trying to send windows security logs to logstash(http) receiver . Below is what I have based on my understanding from below splunk document  https://docs.splunk.com/Documentat... See more...
Hello Experts ,  I am trying to send windows security logs to logstash(http) receiver . Below is what I have based on my understanding from below splunk document  https://docs.splunk.com/Documentation/Forwarder/latest/Forwarder/Configureforwardingwithoutputs.conf?_gl=1*1oibtlm*_gcl_aw*R0NMLjE3NDY4NDE5NzEuRUFJYUlRb2JDaE1Jc2Z2dnRPV1hqUU1WaDBwX0FCMlJYQnRjRUFBWUFTQUFFZ0wtNXZEX0J3RQ..*_gcl_au*NzE5NjQzNDU5LjE3NDQ5MDE2Mjc.*FPAU*NzE5NjQzNDU5LjE3NDQ5MDE2Mjc.*_ga*NjI5NDg5MjY4LjE3NDQ5MDE2Mjg.*_ga_5EPM2P39FV*czE3NDcxNTY4OTMkbzckZzEkdDE3NDcxNTcxNDIkajAkbDAkaDM4ODI5OTg4OQ..*_fplc*R1FCTFo5ZiUyQnVNQ3gxRlQ2NXVoQW45b0tXS2Z4SiUyRkxpSUYyME04d2hZRGR4b25qaGFMaEhSRG1SYUpoaDhCTG8zc3daRkhXZEhtTjFad0VtcFhoTHBZc0k3eGgzUDVNZzJOaXhkJTJCNGklMkIxbUJpYVRBanhIWUpKdFFtMlpIRVElM0QlM0Q. On UF I have inputs.conf [WinEventLog://Security] disabled = 0 outputs.conf [httpout] httpEventCollectorToken = <token> uri = http://127.0.0.1:8002 compressed = false sendCookedData = false compression = none my logstash.conf ( I want to write the data into a file) input { http { port => 8002 codec => plain } } output { file { path => "C:\logstash_output\uf_debug_raw.txt" } } The file is being created but it holds encoded data like encrypted data , symbols . Can someone suggest if this is even possible  data in the file  {"url":{"domain":"127.0.0.1","port":8002,"path":"/services/collector/s2s"},"@version":"1","event":{"original":"�x��V�n\u001CE\u0010�`@���@\u001C�����%
You could try something like this | rex max_match=0 "(?m)(?<namevalue>(?<=(\]|,)\s).+?(?=\s\-\s)\s-\s[^,]+?(?=,|$))(,|$)" | mvexpand namevalue | rex field=namevalue "(?<name>.+?(?=\s\-\s))\s-\s(?<va... See more...
You could try something like this | rex max_match=0 "(?m)(?<namevalue>(?<=(\]|,)\s).+?(?=\s\-\s)\s-\s[^,]+?(?=,|$))(,|$)" | mvexpand namevalue | rex field=namevalue "(?<name>.+?(?=\s\-\s))\s-\s(?<value>[^,]+?(?=,|$))" | eval {name}=value | stats values(*) as * by _raw
Hi @LearningGuy  It isnt possible to set the token within the dataSources section *however* you can do the following... ... "viz_gE0iilm3": { "dataSources": { "p... See more...
Hi @LearningGuy  It isnt possible to set the token within the dataSources section *however* you can do the following... ... "viz_gE0iilm3": { "dataSources": { "primary": "search1", "search1": "search1", "search2": "search2" }, "options": { "table": "> $mysearch$" }, "type": "splunk.table" } }, "dataSources": { "search1": { "name": "search1", "options": { "query": "| makeresults \n| eval msg=\"Search 1\"" }, "type": "ds.search" }, "search2": { "name": "search2", "options": { "query": "| makeresults \n| eval msg=\"Search2\"" }, "type": "ds.search" } }, ... What we're doing here is defining the references to the searches under the dataSources section of the viz, so mapping "search1" to the relevant ID of search1 (not the name!), so in your case "ds_index1". Important Note: you *must* have a primary otherwise the viz doesnt seem to load, this could be a basic makeresults empty search, or just search1. Then within the table options we set : "table": "> $mysearch$" This defaults to "> primary" but we are overriding with the dataSource we want it to pull from (as defined in the dataSources section of the Viz) Full example: { "title": "testing", "description": "", "inputs": { "input_Ldh6KqEz": { "options": { "items": [ { "label": "Data 1", "value": "search1" }, { "label": "Data 2", "value": "search2" } ], "token": "mysearch" }, "title": "Dropdown Input Title", "type": "input.dropdown" } }, "defaults": { "dataSources": { "ds.search": { "options": { "queryParameters": { "earliest": "-24h@h", "latest": "now" } } } } }, "visualizations": { "viz_gE0iilm3": { "dataSources": { "primary": "search1", "search1": "search1", "search2": "search2" }, "options": { "table": "> $mysearch$" }, "type": "splunk.table" } }, "dataSources": { "search1": { "name": "search1", "options": { "query": "| makeresults \n| eval msg=\"Search 1\"" }, "type": "ds.search" }, "search2": { "name": "search2", "options": { "query": "| makeresults \n| eval msg=\"Search2\"" }, "type": "ds.search" } }, "layout": { "globalInputs": [ "input_Ldh6KqEz" ], "layoutDefinitions": { "layout_1": { "options": { "display": "auto", "height": 960, "width": 1440 }, "structure": [ { "item": "viz_gE0iilm3", "position": { "h": 300, "w": 830, "x": 10, "y": 30 }, "type": "block" } ], "type": "absolute" } }, "tabs": { "items": [ { "label": "New tab", "layoutId": "layout_1" } ] } } }    Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Yes! The token are made like this.  Here are some examples. These tokens are working correctly.   <input type="dropdown" token="case_token" searchWhenChanged="true"> <label>Case Selector</label> ... See more...
Yes! The token are made like this.  Here are some examples. These tokens are working correctly.   <input type="dropdown" token="case_token" searchWhenChanged="true"> <label>Case Selector</label> <fieldForLabel>case</fieldForLabel> <fieldForValue>case</fieldForValue> <search> <query>| tstats count where index=string* by index | table index </query> </search> </input> <input type="multiselect" token="host_token" searchWhenChanged="true"> <label>Host</label> <fieldForLabel>Host</fieldForLabel> <fieldForValue>host</fieldForValue> <search> <query>| tstats count where $case_token$ by host |table host</query> </search> </input> What isn't working is the creation of the $channel_token$ made with the drilldown. I think it might be because I'm using an event pane and not a table pane.
Hello, How to change dataSource in table dynamically based on token in Splunk Dashboard Studio? I tried to assign a token on the "primary" field, so it can change dynamically to "Data 1" or "Data... See more...
Hello, How to change dataSource in table dynamically based on token in Splunk Dashboard Studio? I tried to assign a token on the "primary" field, so it can change dynamically to "Data 1" or "Data 2" based on selection. However, this solution does not seem to work.  I've seen a suggestion to use "saved search", but I don't want to use that solution.  Please suggest. Thanks "viz_dynamictable": {     "type": "splunk.table",     "dataSources": {         "primary": "$datasource_token$"          },     "title": "$title_token$" } "dataSources": {      "ds_index1": {                "type": "ds.search",                 "options": {                      "query": "index=index1"                  },             "name": "Data 1"         },       "ds_index2": {                  "type": "ds.search",                  "options": {                      "query": "index=index2"                   } ,             "name": "Data 2"         },
Can you post these tokens? $case_token$ $host_token$ $level_token$ $rule_token$
@ljvc I appreciate the information, this is helpful. Would you be able to share your transforms.conf files against the mc_incidents and mc_notes collections? I'd like to better understand how that co... See more...
@ljvc I appreciate the information, this is helpful. Would you be able to share your transforms.conf files against the mc_incidents and mc_notes collections? I'd like to better understand how that correlation with incident_id is happening between the collections and dumping it into something readable in a lookup.
Thanks for your feedback.  Based on what I  know, this seems to be normal behavior for AD, not an issue with the add-on. If you are having trouble please  consider working with splunk support or ods ... See more...
Thanks for your feedback.  Based on what I  know, this seems to be normal behavior for AD, not an issue with the add-on. If you are having trouble please  consider working with splunk support or ods who has expertise on the AD integration.
Hi! Thank you for the resources! I have been reviewing them, as well as doing other search. I still am unsure, so any specific help you can offer is appreciated.
You can start with this app https://classic.splunkbase.splunk.com/app/1603/ WIth it you can see some examples how you should play with tokens and then try those with your own dashboard.  Here is on... See more...
You can start with this app https://classic.splunkbase.splunk.com/app/1603/ WIth it you can see some examples how you should play with tokens and then try those with your own dashboard.  Here is one UG presentation how to use tokens etc. https://data-findings.com/wp-content/uploads/2024/09/HSUG-20240903-Tiia-Ojares.pdf
Hello! I have a Classic Dashboard in Splunk and I am currently working with an Events pane. I am trying to set a token via drilldown. Here is my code: <event> <search> <query>$case_token$ $host_t... See more...
Hello! I have a Classic Dashboard in Splunk and I am currently working with an Events pane. I am trying to set a token via drilldown. Here is my code: <event> <search> <query>$case_token$ $host_token$ $level_token$ $rule_token$</query> </search> <fields>Timestamp, host, Computer, Level, Channel, RecordID, EventID, RuleTitle, Details, _time</fields> <option name="count">50</option> <option name="list.drilldown">none</option> <option name="list.wrap">1</option> <option name="raw.drilldown">none</option> <option name="refresh.display">progressbar</option> <option name="table.drilldown">all</option> <option name="table.sortDirect">asc</option> <option name="table.wrap">1</option> <option name="type">table</option> <drilldown> <condition field="Channel"> <set token="channel_token">$click.value$</set> </condition> </drilldown> </event>  There's two problems: 1. The token is not being set when I click on the table. 2. The condition to only select from the Channel fields is not working. Thank you in advance!
Sorry, but Dashboard Studio is not yet my area
You are absolutely correct with these words! There are pros and cons with SCP as there are also in Enterprise. And definitely there is a new way how you must to do things. Some of changes are really... See more...
You are absolutely correct with these words! There are pros and cons with SCP as there are also in Enterprise. And definitely there is a new way how you must to do things. Some of changes are really annoying and decrease your working performance and some of those are "Why I haven't those in onprem too" And as in any situation with Splunk, you must say It depends on which one is best for you and you must go through your use case to make correct decision.
The reason for using this is to be able to create a list of all groups a user is in. That above query will evaluate and memberOf still does not show "Domain Users" but shows every other group. The d... See more...
The reason for using this is to be able to create a list of all groups a user is in. That above query will evaluate and memberOf still does not show "Domain Users" but shows every other group. The documentation makes no mention that the primary group ID will not show up, unfortunately the network I am currently on I am unable to add a test user and assign the primary group to something else and remove them from Domain Users but I can't see how it would be normal functionality to exclude the primary group the user is a member of.   I have just never in my career seen something that could list group memberships and would intentionally skip the primary group, or "Domain Users" whichever is true in this scenario.   I tested with Domain Computers as well and had the same results. It still seems weird.