All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hello, I am working on a search to find domains queried via a particular host, and list out a count of hits per unique domain on the host, along with the username. This search is returning the doma... See more...
Hello, I am working on a search to find domains queried via a particular host, and list out a count of hits per unique domain on the host, along with the username. This search is returning the domains individually, but they are showing up as an entry in each "count" (see the Actual Results below).  What I am looking to do is get the results to show only the values for the highest count of each domain, and to order these results from highest to lowest (see Expected Results below).  index=foo Host=<variable> | streamstats count(query) as Domains by User query Workstation | eval combo=Domains +" : "+ query | stats values(combo) as "Unique Hits : Domain" by User Workstation | sort - combo Actual Results (truncated): 1 : www.youtube.com 2 : history.google.com 3 : history.google.com Expected Results (truncated): 3 : history.google.com 2 : mail.google.com 1 : www.youtube.com
Yes, you can do this using the Splunk HTTP Event Collector.   Here's a blog post showing an example of Splunk receiving data from a Zoom webhook: Splunking Webhooks with the HTTP Event Collecto... See more...
Yes, you can do this using the Splunk HTTP Event Collector.   Here's a blog post showing an example of Splunk receiving data from a Zoom webhook: Splunking Webhooks with the HTTP Event Collector | Splunk
I was looking for this answer! This worked for me,  I have a Mac.
Sounds like you need this app from Splunkbase: Treeview Viz | Splunkbase
Does this page help at all?  There's some gotchas with this configuration depending on how the account was setup for the Slack integration: Slack Integration Guide | VictorOps Knowledge Base
If you're looking to reset the Splunk UF's user password, you can follow the instructions under the "Reset a lost administrator password" section on this page: Create secure administrator credential... See more...
If you're looking to reset the Splunk UF's user password, you can follow the instructions under the "Reset a lost administrator password" section on this page: Create secure administrator credentials - Splunk Documentation  
Thanks Yuanliu for your quick reply. Shared solution works for me. But now I am getting error 'list' command: Limit of '100' for values reached. Additional values may have been truncated or ignored. ... See more...
Thanks Yuanliu for your quick reply. Shared solution works for me. But now I am getting error 'list' command: Limit of '100' for values reached. Additional values may have been truncated or ignored. Could you please suggest to resolve this issue without updating the limits.conf file? @yuanliu 
Dear Splunk new learners...  https://www.youtube.com/@siemnewbies101/playlists the primary objective of this youtube channel is to teach Splunk newbies / new learners the SPL commands and most impo... See more...
Dear Splunk new learners...  https://www.youtube.com/@siemnewbies101/playlists the primary objective of this youtube channel is to teach Splunk newbies / new learners the SPL commands and most importantly the regular expressions. pls check it out, thanks. 
I stand corrected.  Thanks, @richgalloway ! Now, @tom_porter will need to explain what "does not work" means.  To be clear, this phrase should be forbidden in a forum like this as it conveys very li... See more...
I stand corrected.  Thanks, @richgalloway ! Now, @tom_porter will need to explain what "does not work" means.  To be clear, this phrase should be forbidden in a forum like this as it conveys very little information in the best scenarios. Illustrate/mock your data (anonymize as needed), show code you tried, show actual results (anonymize as needed), illustrate/mock desired results, explain the logic connecting data and desired results if it is not painfully obvious. Also explain the difference between actual results and desired results if it is not painfully obvious.
We fixed this issue by changing the HEC endpoint that the data was being sent to from services/collector/raw to  services/collector/event. More information here: https://docs.splunk.com/Document... See more...
We fixed this issue by changing the HEC endpoint that the data was being sent to from services/collector/raw to  services/collector/event. More information here: https://docs.splunk.com/Documentation/Splunk/latest/Data/HECRESTendpoints
Extract the CI from the URL and use that in the eval command. | rex field=URL "https?:\/\/(?<url_ci>[^\.]+)" | eval ci = coalesce(ci, url_ci)  
The first query I gave you should have worked, but the logic you just suggested should work, too.  This query marks servers from the index as "indexed" and those from the lookup file as "lookup".  Af... See more...
The first query I gave you should have worked, but the logic you just suggested should work, too.  This query marks servers from the index as "indexed" and those from the lookup file as "lookup".  After combining the results by server name, it keeps only the servers found in the index. index=abc host=def_inven | eval inven="indexed" | append [ | inputlookup mylookup.csv | eval inven="lookup" ] | stats values(*) as * by server | where (mvcount(inven)=1 AND isnotnull(mvfind(inven,"indexed")))  
Curly braces on the LHS of an eval says to use the contents of the field as the new field name. See if this example query helps explain | makeresults | eval base="file_watch" | eval {base}= base."... See more...
Curly braces on the LHS of an eval says to use the contents of the field as the new field name. See if this example query helps explain | makeresults | eval base="file_watch" | eval {base}= base.".exe" | eval {base}exe=base.".exe"  
No, in lookup file there are few servers which are monitored, but also in index  some servers which is monitored but I need to find which is not monitored. Is it possible to try something like this ... See more...
No, in lookup file there are few servers which are monitored, but also in index  some servers which is monitored but I need to find which is not monitored. Is it possible to try something like this for example: index=abc host=def_inven •if it is in inventory flag it  flag inven= something  join  lookup <> flag  splunk=something so we can use |stats values by flag Whether this logic is correct? If it is ok give a exact query or suggest me something different query   @richgalloway  
Why  did Splunk get 1129.3600000000001, not 1129.36? As I already said, floating point arithmetics is messy on digital computers. But Splunk is also known to be quirkier. You can report this as ... See more...
Why  did Splunk get 1129.3600000000001, not 1129.36? As I already said, floating point arithmetics is messy on digital computers. But Splunk is also known to be quirkier. You can report this as a bug. In the real data, I  have more than 10, so addcoltotals will not show up on the front page Given that Summary has that bug, you can decide whether to use addcoltotals as a workaround, or live with 1129.3600000000001. SPL doesn't control pagenation. Also, I don't believe Summary offers rounding.
Using split in your emulation kind of obscures characteristics of the real data, how real data becomes multivalued, etc.  But working from this - please post test code/mock code in text, not screensh... See more...
Using split in your emulation kind of obscures characteristics of the real data, how real data becomes multivalued, etc.  But working from this - please post test code/mock code in text, not screenshot, there is a potential way to leverage sort command that automatically recognizes IPv4 format.   | makeresults | eval ip = split("119.0.6.159,62.0.3.75,63.0.3.84,75.0.3.80,92.0.4.159", ",") | mvexpand ip | sort ip | stats values(ip) as ip list(ip) as sorted_ip   This gives you ip sorted_ip 119.0.6.159 62.0.3.75 63.0.3.84 75.0.3.80 92.0.4.159 62.0.3.75 63.0.3.84 75.0.3.80 92.0.4.159 119.0.6.159 mvexpand can be expensive.  list can be memory hungry.  So, think of data strategy if performance is a concern.  Do you have to present results in multivalue format?
I'm not sure if I get the idea.  Do you mean to use this? base = lower(type) exe=base.".exe" What is the intention of the curly brackets? (No, {base} is not a valid expression.)
Hi, I need help on below SPL query. | eval ci= if (isnull(ci),host,ci), As per current logic, if there is no value available in ci then it will take host name as ci. Here host value is Splunk HF. ... See more...
Hi, I need help on below SPL query. | eval ci= if (isnull(ci),host,ci), As per current logic, if there is no value available in ci then it will take host name as ci. Here host value is Splunk HF. I want should pick up server name or application name from the URL part instead of picking Splunk HF as host in ci filed. How to change server name or application name from the URL part instead of picking Splunk HF as host in ci filed. URL Examples : http://abcdflpqr0012.abcd.xyz.com:5050/abcd/intro.html http://prod-abcd.xyz.com:14000/identity Can you please help me here. Thank you.
Apologies if this is a repetitive question, but I couldn't find information anywhere. We have the Spunk OnCall (VictorOps) Slack integration setup, but when an oncall change happens, it doesn't actu... See more...
Apologies if this is a repetitive question, but I couldn't find information anywhere. We have the Spunk OnCall (VictorOps) Slack integration setup, but when an oncall change happens, it doesn't actually notify the user in slack, even when the slack user is linked to their VictorOps account. Instead, just a message appears in the relevant channel with their VictorOps username. Am I missing a place where this can be configured properly?
I have Linux audit records that have a field called type and fields with the naming convention lower(type).field.  I want to be able to combine type, as a prefix, and a set of suffixes to create new ... See more...
I have Linux audit records that have a field called type and fields with the naming convention lower(type).field.  I want to be able to combine type, as a prefix, and a set of suffixes to create new field names that exist in the data.  For example, I have a type called FILE_WATCH and fields called file_watch.exe, file_watch.egid, file_watch.comm, etc. I want to develop a dashboard table by type and suffix in Splunk to show if a particular field exists for a type.  So going back to my example using type=FILE_WATCH, how can I create a new field name along these lines? base = lower(type) exe={base}.".exe"  # does not work, but you get the idea. with exe now equal to the field name, I want to be able to de-reference the new field name to see if it exists.