All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

But step 3 you mentioned is optional, in the sense that it's not required to request statuses for events to be indexed (I can verify my data is present, and events logged). So I didn't expect this be... See more...
But step 3 you mentioned is optional, in the sense that it's not required to request statuses for events to be indexed (I can verify my data is present, and events logged). So I didn't expect this behavior. After this max number of pending events reached, channel for the related token go on busy status, and leads to loss of logs until I restart service. I tried to increase max_number_of_acked_requests_pending_query, but it will only allow me to postpone the deadline, and set a huge value could perhaps also have negative impact on servers health. As I cannot control anything on client except channel header and authorization header, and as client doesn't seem do status requests (firewall logs), I will try to update maxIdleTime under 60, as client send data every 60 seconds. Thanks    
Thank you for your reply. I have a dashboard. I would like to add a search bar, where a user can enter a talend's job name and launch a search with a button. Example: I would like to put it in... See more...
Thank you for your reply. I have a dashboard. I would like to add a search bar, where a user can enter a talend's job name and launch a search with a button. Example: I would like to put it in a <fieldset> tag.  
Thanks @isoutamo  and @richgalloway . Closing thread- After uploading new Developer license, issue got fixed and users were able to login [probably overrid the Dev/Test Personnel license. Thanks
Hi @michaelteck, let me understand: you have a dashboard with some panels, in addition you want to add another panel in which user can run a search, using SPL and visualizing results in the same pan... See more...
Hi @michaelteck, let me understand: you have a dashboard with some panels, in addition you want to add another panel in which user can run a search, using SPL and visualizing results in the same panel, is it correct? if this is your requirement, you can create a panel with a free text input (inside the same panel. Ciao. Giuseppe
Hello everyone and Happy New Year   I'm newbie with splunk. And I try to make a full dynamique dashboard with the app Search & Reporting.  I work on Talend's logs. I'm looking for to create a s... See more...
Hello everyone and Happy New Year   I'm newbie with splunk. And I try to make a full dynamique dashboard with the app Search & Reporting.  I work on Talend's logs. I'm looking for to create a search bar for searching job directly but do not use the drop-down menus.  Is there solution to make a search bar on top of the dashboard with "search" button ?  Thanks for reading me. 
Hi, Has anyone else encountered a situation where the 'orig_time' field isn't showing up in the Windows event logs with Eventcode=7040?
This sounds like a good use case to utilize the WILDCARD(keyword) capability within advanced settings in lookup definitions. I tried it out on a local instance and think I got what you are looking... See more...
This sounds like a good use case to utilize the WILDCARD(keyword) capability within advanced settings in lookup definitions. I tried it out on a local instance and think I got what you are looking for.   Wildcards will need to be included in the lookup though so would look like this. And if you are only looking for matches against the beginning of the "Asset" field value then you can also just set up the wildcards on the end of the values in lookup (This example also has a net-new field in lookup to retain the original keyword value in the lookup in case it is needed elsewhere) and under the advanced settings checkbox in the lookup definition you would configure the field "keyword" to match with wildcards like this (you can turn off case-sensitivity too.   Note: If you decide to go with the wildcard match using a new "keyword_wildcard" field from lookup you will have to adjust the lookup definition advanced settings to WILDCARD(keyword_wildcard) instead.   Example SPL:     <base_search> | lookup splunk_community_keyword_association keyword as Asset OUTPUT country as match_country | eval country=coalesce(if(NOT match(country, "^(?i)(?:unknown|not\s+available|n\/a|na)$"), 'country', null()), 'match_country')     Full SPL to simulate:   | makeresults | eval Asset="braiskdidi001", country="Britain" | append [ | makeresults | eval Asset="breliudusfidf002", country="Unknown" ] | append [ | makeresults | eval Asset="bruliwhdcjn001", country="not available" ] | rename country as country_from_index ``` lookup wildcard match against Asset field value to the keyword_wildcard field in lookup and return the country if match is found ``` | lookup splunk_community_keyword_association keyword_wildcard as Asset OUTPUT country as country_from_lookup ``` evaluate new country field that uses derived country from lookup if a match is found and the country_from_index indicates that it was not found ``` | eval coalesced_country=coalesce(if(NOT match(country_from_index, "^(?i)(?:unknown|not\s+available|n\/a|na)$"), 'country_from_index', null()), 'country_from_lookup') | fields + _time, Asset, country_from_index, country_from_lookup, coalesced_country     Referenced splunk_community_keyword_association.csv country keyword keyword_wildcard Britain bru bru* Britain bre bre* USA usa usa*
After a while I solved my problem with a EVAL statement My props.conf is now: ... ... EVAL-disposition_split = split(disposition, ";") LOOKUP-action = fortimail_action_lookup.csv vendor_action A... See more...
After a while I solved my problem with a EVAL statement My props.conf is now: ... ... EVAL-disposition_split = split(disposition, ";") LOOKUP-action = fortimail_action_lookup.csv vendor_action AS disposition_split OUTPUT action
The steps seem pretty clear in the docs. 1) Send data to HEC 2) Get an ACK *ID* in response 3) Use the ACK ID to confirm the data has been written To verify that the indexer has indexed the event... See more...
The steps seem pretty clear in the docs. 1) Send data to HEC 2) Get an ACK *ID* in response 3) Use the ACK ID to confirm the data has been written To verify that the indexer has indexed the event(s) contained in the request, query the [https://<host>:<port>/services/collector/ack] endpoint Indexers get pending queries because the client has not closed them by requesting the status.
Hello, As I want to get my email events CIM compliant, I have trouble parsing a "disposition" key-value pair. Example: Having an event:   date=2024-01-09 time=11:59:43.258 device_id=XXXXXXXXXXXX... See more...
Hello, As I want to get my email events CIM compliant, I have trouble parsing a "disposition" key-value pair. Example: Having an event:   date=2024-01-09 time=11:59:43.258 device_id=XXXXXXXXXXXXXX log_id=0200012329 type=statistics pri=information session_id="4XXXXXXXXXXX-4XXXXXXXXXXXXX" client_name="example.com" disposition="Modify Subject;Insert Disclaimer;Defer Disposition" classifier="Data Loss Prevention" message_length="94756" subject="Test subject" message_id="xxxxxxxxxxxxxxxxxxxx@example.com" recv_time="" notif_delay="0" scan_time="0.186489" xfer_time="0.002166" srcfolder="" read_status="   I have disposition field extracted at search-time with the value "Modify Subject;Insert Disclaimer;Defer Disposition" Want I need to do is to separate the values into a multivalue field, and then use a lookup to determine the action. Lookup file:   vendor_action,action Accept,delivered Reject,blocked Add Header,delivered Modify Subject, Quarantine,quarantined Discard,blocked Replace, Delay, Rewrite, Insert Disclaimer, Defer Disposition,delivered Disclaimer Body,delivered Disclaimer Header,delivered Defer, Quarantine to Review,quarantined Content Filter as Spam, Encrypt, Decrypt, Alternate Host, BCC, Archive, Customized repackage, Repackage, Notification,   In the end, the event should have a field named action, and the value should for this example be delivered My props.conf:   [fortimail] ... ... LOOKUP-action = fortimail_action_lookup.csv vendor_action as disposition OUTPUT action REPORT-disposition = disposition_extraction   My transforms.conf:   [disposition_extraction] SOURCE_KEY = disposition DELIMS = ";" MV_ADD = true   But eventually i just end up with the original value ("Modify Subject;Insert Disclaimer;Defer Disposition") and it doesn't get separated What am I doing wrong?
@pdrieger_splunkany idea?  
Yes, that was helpful and sorry for my delayed confirmation. 
Hello, Thanks for your answer but I don't have the same understanding of Splunk documentation as you. If you were right, HEC service would be down a few hours after startup, or less. As explained ... See more...
Hello, Thanks for your answer but I don't have the same understanding of Splunk documentation as you. If you were right, HEC service would be down a few hours after startup, or less. As explained in Splunk documentation (see the graph), HEC responds with an ACK for each event thrown, but you can send a request for a particular event to verify the status : "Each time a client sends a request to the HEC endpoint using a token with indexer acknowledgment enabled (1), HEC returns an acknowledgment identifier to the client (2)." https://docs.splunk.com/Documentation/Splunk/9.1.2/Data/AboutHECIDXAck#Query_for_indexing_status 1. Client send HEC request with event data 2. HEC acks the request once event is indexed HEC clients don't need to ask for status for events to get indexed well (millions each day), but after a while, the indexers become busy due to the maximum number of pending requests. I already increased this value so now I need to understand why this pending queries So my problem is something with pending requests and why they are increasing like that. I don't see any errors with the metrics, but they don't seem to be cumulative (Because Splunk Enterprise deletes status information after clients retrieve it) : I cannot control HEC client behavior beyond basic settings (for information, this is Akamai DataStream).    
Hi, For the past 90 days, we haven't detected any alerts triggered by the GitHub secret scanning rule in my Splunk ES. Consequently, we're unable to even query an index. Tq
Try something like this | eval keyword=substr(Asset,0,3) | lookup country_categorization keyword
Hi here is the default spl of App: Splunk App for Data Science and Deep Learning (Time Series Anomalies with STUMPY -Time Series Anomaly Detection with Matrix Profiles) | inputlookup cyclical_busin... See more...
Hi here is the default spl of App: Splunk App for Data Science and Deep Learning (Time Series Anomalies with STUMPY -Time Series Anomaly Detection with Matrix Profiles) | inputlookup cyclical_business_process.csv | eval _time=strptime(_time, "%Y-%m-%dT%H:%M:%S") | timechart span=15m avg(logons) as logons | fit MLTKContainer algo=stumpy m=96 logons from _time into app:stumpy_anomalies | table _time logons matrix_profile | eventstats p95(matrix_profile) as p95_matrix_profile | eval anomaly=if(matrix_profile>p95_matrix_profile,1,0) | fields - p95_matrix_profile     now want to run this command for my data, here is the sample log: 2022-11-30 23:59:00,122,124 2022-11-30 23:58:00,113,112 2022-11-30 23:57:00,144,143 2022-11-30 23:56:00,137,138 2022-11-30 23:55:00,119,120 2022-11-30 23:54:00,103,102 2022-11-30 23:53:00,104,105 2022-11-30 23:52:00,143,142 2022-11-30 23:51:00,138,139 2022-11-30 23:50:00,155,153 2022-11-30 23:49:00,100,102   timestamp: 2022-11-30 23:59:00 logons: 122   here is the spl that i run: | rex field=_raw "(?<time>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}),(?<logons>\d+)" | eval _time=strptime(time, "%Y-%m-%d %H:%M:%S") | timechart span=15m avg(logons) as logons | fit MLTKContainer algo=stumpy m=96 logons from _time into app:stumpy_anomalies | table _time logons matrix_profile | eventstats p95(matrix_profile) as p95_matrix_profile | eval anomaly=if(matrix_profile>p95_matrix_profile,1,0) | fields - p95_matrix_profile   before fit command _time show correctly, but after fit command it's empty! FYI: logon, matrix_profile, anomaly return correctly but _time is empty!   Any  idea?
Hi Splunkers,    I'm having a lookup country_categorization, which have the keyword and its equivalent country, we need to use this info for the main search asset when the country field from index i... See more...
Hi Splunkers,    I'm having a lookup country_categorization, which have the keyword and its equivalent country, we need to use this info for the main search asset when the country field from index is "not available" or "Unknown", we need to use this keyword from lookup, need to compare with asset name with index, usually keyqords are set of prefix of asset name with multiple entries and it should match with equivalent country. Index- Asset, country braiskdidi001, Britain breliudusfidf002, Unknown bruliwhdcjn001, not available lookup keyword, country bru - Britain bre - Britain   the output should be   braiskdidi001, Britain breliudusfidf002, Britain bruliwhdcjn001, Britain. Thanks in Advance! Manoj Kumar S
Hello, I'd like to know how to locate the correlation searches that XSOAR is monitoring, rather than the incident review panel in the ES. Could you please check if there's a REST API Search availabl... See more...
Hello, I'd like to know how to locate the correlation searches that XSOAR is monitoring, rather than the incident review panel in the ES. Could you please check if there's a REST API Search available for this? Thanks!
Hi @Praz_123  1) the alert search query.. can you pls copy paste that here (remove the ip address, hostnames, sensitive details, etc) 2) the alert trigger conditions... results equal to 0 or greate... See more...
Hi @Praz_123  1) the alert search query.. can you pls copy paste that here (remove the ip address, hostnames, sensitive details, etc) 2) the alert trigger conditions... results equal to 0 or greater or lesser than.. screenshot.. can you share it with us, thanks  
|rest /services/apps/local |fields author configured disbled eai:aci.owner eai:acl.sharing label title visible check_for_updates update.version version |dedup title |table title label author eai:a... See more...
|rest /services/apps/local |fields author configured disbled eai:aci.owner eai:acl.sharing label title visible check_for_updates update.version version |dedup title |table title label author eai:aci.owner eai:acl.sharing configured disabled visible check_for_updates update.version version