All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: How color a field by other value in XML

by SplunkTrust in Dashboards & Visualizations
‎12-07-2023 03:18 PM
‎12-07-2023 03:18 PM
@ITWhisperer yes, agreed, but going on the search, it seems to be handwritten rather than copy/paste (type=lest) and it wasn't clear to me if the data really is MV or SV. I couldn't figure out what i... See more...
@ITWhisperer yes, agreed, but going on the search, it seems to be handwritten rather than copy/paste (type=lest) and it wasn't clear to me if the data really is MV or SV. I couldn't figure out what in fact the join was doing without any common fields - it's effectively an appendcols with no correlation between importer values. That colouring technique is certainly only suitable for SV fields.

Re: Error in 'where' command becuase of ','

by SplunkTrust in Dashboards & Visualizations
‎12-07-2023 03:05 PM
‎12-07-2023 03:05 PM
You can use an <eval> statement for your drilldown instead of <set> <eval token="max_value">replace($click.value$, ",", "")</eval>  

Splunk connector version 2.14 in SOAR 6.0 Error

by in Splunk SOAR
‎12-07-2023 02:11 PM
‎12-07-2023 02:11 PM
I am trying to query a Splunk search head using the Splunk connector from SOAR. However, my playbook is giving an error in the action block with the below error: Failed to connect to splunk server. ... See more...
I am trying to query a Splunk search head using the Splunk connector from SOAR. However, my playbook is giving an error in the action block with the below error: Failed to connect to splunk server. HTTP Error 400: Bad Request (1235) There are no issues of connectivity as I have tested the connectivity to our asset in the app and it has passed successfully. Yet, my playbook is failing with the above error. My playbook design consists of a format block that formats the simple SPL query as : |makeresults|eval id="This is a test" |eval playbook="App upgrade splunk"|table _time id playbook which is referenced in the action block that queries a Splunk Search Head using the Splunk app. Any advise on the possible issue is much appreciated ? Thanks in advance  
Labels

Re: What is the URI for HTTP Event Collector for Splunk Cloud?

by in Getting Data In
‎12-07-2023 02:10 PM
‎12-07-2023 02:10 PM
Thanks, this explained everything I needed for how to use HEC on Splunkcloud.

Re: 500s when updating apps from GUI with walkaround

by in Installation
‎12-07-2023 02:05 PM
‎12-07-2023 02:05 PM
I tried to override the settings in server.conf and restart the Splunk Enterprise, seems I still get 'uncaught exception" And saw this in browser console:   common.js:1349 ... See more...
I tried to override the settings in server.conf and restart the Splunk Enterprise, seems I still get 'uncaught exception" And saw this in browser console:   common.js:1349 POST http://localhost:8000/en-US/splunkd/__raw/services/apps/local 500 (Internal Server Error)   Tried to override some other settings under `applicationsManagement`, seems won't work... And the error in _internal log sounds not useful at all. 12-07-2023 13:54:14.770 -0800 ERROR ApplicationUpdater [2903300 TcpChannelThread] - Unexpected error downloading update: Uncaught exception  

String comparison

by in Splunk Search
‎12-07-2023 01:50 PM
‎12-07-2023 01:50 PM
I've got this search index=main sourcetype="bigfix" | eval raw=_raw | rex mode=sed field=raw "s/\n/ /g" | rex field=raw "At \d+:\d+:\d+\s+-0800\s+-(?<message>.*)" | rex field=message "^(?<message_... See more...
I've got this search index=main sourcetype="bigfix" | eval raw=_raw | rex mode=sed field=raw "s/\n/ /g" | rex field=raw "At \d+:\d+:\d+\s+-0800\s+-(?<message>.*)" | rex field=message "^(?<message_type>[^:]+):\s" | eval message_type_ns=replace(message_type, " ", "") | eval x_message_type=if(message_type == message_type_ns, message_type, "No message type") | stats count by message_type, message_type_ns, x_message_type That doesn't appear to be working correctly.  I'm always getting either all true or all false.  This is the output. "message_type","message_type_ns","x_message_type",count " ActionLogMessage",ActionLogMessage,"No message type",240 " ActiveDirectory",ActiveDirectory,"No message type",128 " Client has an AuthenticationCertificate Relay selected",ClienthasanAuthenticationCertificateRelayselected,"No message type",2 " Client shutdown (Service manager shutdown request) ******************************************** Current Date","Clientshutdown(Servicemanagershutdownrequest)********************************************CurrentDate","No message type",3 " Encryption",Encryption,"No message type",11 " Initializing Site",InitializingSite,"No message type",43 " PollForCommands",PollForCommands,"No message type",13 " Processing fixlet site. ******************************************** Current Date","Processingfixletsite.********************************************CurrentDate","No message type",1 " RegisterOnce",RegisterOnce,"No message type",149 " Report posted successfully ******************************************** Current Date","Reportpostedsuccessfully********************************************CurrentDate","No message type",1 " Restricted mode Initializing Site",RestrictedmodeInitializingSite,"No message type",3 " User interface process disabled for user 'user' ActiveDirectory","Userinterfaceprocessdisabledforuser'user'ActiveDirectory","No message type",1 " User interface process disabled for user 'user' ActiveDirectory","Userinterfaceprocessdisabledforuser'user'ActiveDirectory","No message type",1 " User interface session ended for user 'user' User interface session ended for user 'user' ******************************************** Current Date","Userinterfacesessionendedforuser'user'Userinterfacesessionendedforuser'user'********************************************CurrentDate","No message type",1 " User interface session ended for user 'user' ActiveDirectory","Userinterfacesessionendedforuser'user'ActiveDirectory","No message type",1 " User interface session ended for user 'user' ******************************************** Current Date","Userinterfacesessionendedforuser'user'********************************************CurrentDate","No message type",1 When I try this simple case, it works. | makeresults | eval string_a="Client shutdown (Service manager shutdown request) ******************************************** Current Date" | eval string_b="Client_shutdown_(Service_manager_shutdown_request)_********************************************_Current_Date" | eval my_string=if(string_a == string_b, string_a, string_b) And the output _time my_string string_a string_b 2023-12-07 10:14:17 Client_shutdown_(Service_manager_shutdown_request)_********************************************_Current_Date Client shutdown (Service manager shutdown request) ******************************************** Current Date Client_shutdown_(Service_manager_shutdown_request)_********************************************_Current_Date What I'm trying to do is find these At 09:01:45 -0800 - Encryption: optional encryption with no certificate; reports in cleartext The above would have message_type=Encryption.  This example At 09:00:39 -0800 - Starting client version xx.yy.zz.aa FIPS mode disabled by default. Cryptographic module initialized successfully. Using crypto library libBEScrypto - OpenSSL would have message_type="No message type".  I've tried using colon (:), but there are messages with embedded colons.  Any thoughts on how to solve this are appreciated. TIA, Joe
Labels

Re: Do you lose any information between Chain Searches in Dashboards?

by in Splunk Search
‎12-07-2023 01:35 PM
‎12-07-2023 01:35 PM
OK - that is a really good call - frustratingly I do get a working search even on the charts that show no data  I'll need to touch base with our cyber team to get a review done before I post anythin... See more...
OK - that is a really good call - frustratingly I do get a working search even on the charts that show no data  I'll need to touch base with our cyber team to get a review done before I post anything, sorry I did create a test dashboard with  chart 1 = index=my_index    (shows data) chart 2 =   index=my_index (base)  timechart span=30m count(eventClass) by severity (chained search) (NO DATA) Really appreciate the time and effort spent here - I have used chained searches elsewhere, I'll check the docs again.

Dashboard timechart

by in Dashboards & Visualizations
‎12-07-2023 01:22 PM
‎12-07-2023 01:22 PM
How to display timechart for specific time period for specific business days. Eg: index="someindex" |dedup eventid| timechart count(_raw) by eventName span=60m for monday,tuesday, wednesday, thursda... See more...
How to display timechart for specific time period for specific business days. Eg: index="someindex" |dedup eventid| timechart count(_raw) by eventName span=60m for monday,tuesday, wednesday, thursday, friday during 6pm - 8pm.  Or for specific dates .How can achieve this?  thanks in advance
Labels

Rename works in search but not in Dashboard Studio

by in Splunk Search
‎12-07-2023 12:48 PM
‎12-07-2023 12:48 PM
I have a data like this. {      ...    name: AppName    metrics: {      data: [        {           details: { ...          }          name: dataName1          status: UP        }        {... See more...
I have a data like this. {      ...    name: AppName    metrics: {      data: [        {           details: { ...          }          name: dataName1          status: UP        }        {           details: { ...          }          name: dataName2          status: UP               }        { ...        }      ]      indicators: [...]      status: DOWN    }    logs: { ...    }    ping: 1 } I tried to extract data each name and status inside the data out, so I called spath output=metrics path=metrics |rename metrics.data{}.name as name, metrics.data{}.status as status | table _time, name, status This gives proper table _time name status 2023-12-07 15:36:28 dataName1 dataName2 dataName3 UP DOWN UP 2023-12-07 15:35:29 dataName1 dataName2 dataName3 DOWN DOWN UP 2023-12-07 15:34:30 dataName1 dataName2 dataName3 DOWN UP DOWN   However, after putting this search into the dashboard studio search query, it simply returned "No Search Result Returned". Is there something wrong with rename?   Thank you!
Labels

Re: Inside drilldown tags - how to apply transformative operations on set tags - <set>

by SplunkTrust in Splunk Dev
‎12-07-2023 11:43 AM
1 Karma
‎12-07-2023 11:43 AM
1 Karma
Rather than using set use eval - try it like this <drilldown> <eval token="form.builds_tk">mvindex(split("$click.value$", "-"), 1)</eval> </drilldown>

Re: What is a "scheduled_rtsearch?"

by in Splunk Search
‎12-07-2023 11:18 AM
‎12-07-2023 11:18 AM
apologies @woodcock i am too late here but would it work with a role not having rtsearch capability  ? doc says  schedule_rtsearch Lets the user schedule real-time saved searches. The schedule_... See more...
apologies @woodcock i am too late here but would it work with a role not having rtsearch capability  ? doc says  schedule_rtsearch Lets the user schedule real-time saved searches. The schedule_search and rtsearch capabilities must also be assigned to the role.

Inside drilldown tags - how to apply transformative operations on set tags - <set>

by in Splunk Dev
‎12-07-2023 11:01 AM
‎12-07-2023 11:01 AM
Can you apply transformative operations inside set tags from drilldown tags? ex: <drilldown> <set token="form.builds_tk">$click.value$</set> </drilldown>   Would like to take the value capture... See more...
Can you apply transformative operations inside set tags from drilldown tags? ex: <drilldown> <set token="form.builds_tk">$click.value$</set> </drilldown>   Would like to take the value captured from click value, split it (or regex), then use the first value. ex: <drilldown> <set token="form.builds_tk">mvindex(split("$click.value$", "-"), 1)</set> </drilldown>  

How to round Totals for Statistics under Format Summary?

by in Splunk Search
‎12-07-2023 10:48 AM
‎12-07-2023 10:48 AM
Hello When I turned on Total for Statistics under Format > Summary, the output shows long digit after decimal point: Total: 1129.3600000000001 How do I round this number to 1129 or 1130?   Thank ... See more...
Hello When I turned on Total for Statistics under Format > Summary, the output shows long digit after decimal point: Total: 1129.3600000000001 How do I round this number to 1129 or 1130?   Thank you   | makeresults format=csv data="Student, Score a,153.8 b,154.8 c,131.7 d,115.4 e,103.2 f,95.4 g,95.4 h,93.2 i,93.2 j,93.26" | table Student, Score    
Labels

Get Resiliency in the Cloud Event - Register Now!

by in Splunk Cloud Platform
‎12-07-2023 10:31 AM
‎12-07-2023 10:31 AM
Join The Event Get Resiliency in the Cloud on January 18th, 2024 (8:30AM PST)  Hear the industry experts from Pacific Dental Services, IDC and The Futurum Group CEO, Daniel Newman share how to buil... See more...
Join The Event Get Resiliency in the Cloud on January 18th, 2024 (8:30AM PST)  Hear the industry experts from Pacific Dental Services, IDC and The Futurum Group CEO, Daniel Newman share how to build a strong foundation of security and resilience for your expansion to the cloud. Learn about the drivers and benefits that lead enterprises to build data-centric security and observability on a unified Splunk Cloud Platform, delivered as a service . By migrating deployments to Splunk Cloud Platform organizations are able to search, analyze, visualize and act on their data with unprecedented insights, security and compliance, all from the cloud. Additionally, you will learn about: How digital transformation is influencing businesses expand to cloud - A talk by Futurum CEO, Daniel Newman Cloud transformation journey from Pacific Dental Services with Splunk New advancements in Splunk Cloud Platform that accelerate journey to cloud Achieving faster value realization with Splunk services
Labels

Re: How to send the logs from Universal forwaders to Heavy forwaders ?

by SplunkTrust in Getting Data In
‎12-07-2023 10:03 AM
‎12-07-2023 10:03 AM
OK. So these are your inputs. And your outputs?

Re: Multi Line Field Extraction for XML

by SplunkTrust in Security
‎12-07-2023 10:01 AM
1 Karma
‎12-07-2023 10:01 AM
1 Karma
To be fully honest, if your data is a well-formed XML, I'd just go for KV_MODE=xml

Re: How to extract data from log message data using rex field=_raw?

by SplunkTrust in Splunk Search
‎12-07-2023 09:52 AM
1 Karma
‎12-07-2023 09:52 AM
1 Karma
Do you mean to say that the raw event data contains extra strings such as "Event data -"?  Is there any additional strings after the closing curly bracket?  Is there any other opening curly bracket b... See more...
Do you mean to say that the raw event data contains extra strings such as "Event data -"?  Is there any additional strings after the closing curly bracket?  Is there any other opening curly bracket before the one shown in your mock data?  If none of those exist, simply do   | rex "(?<json>{.+)" | spath input=json   Here is an emulation using your mock data:   | makeresults | eval _raw = "Event data - {\"firstName\":\"John\",\"lastName\":\"Doe\"}" | rex "(?<json>{.+)" | spath input=json | fields - _*   Play with it and compare with real data.  The emulation should give firstName json lastName John {"firstName":"John","lastName":"Doe"} Doe

Re: migrating production deployment server to new machine

by SplunkTrust in Deployment Architecture
‎12-07-2023 09:49 AM
1 Karma
‎12-07-2023 09:49 AM
1 Karma
To test connectivity, first start the new DS.  Then sign in to a few DS clients and use your favorite networking tool to ensure the client can reach the new DS's management port (usually 8089). The ... See more...
To test connectivity, first start the new DS.  Then sign in to a few DS clients and use your favorite networking tool to ensure the client can reach the new DS's management port (usually 8089). The cutover steps depend on your configuration.  In an ideal world, DS clients use a DNS name to access the DS.  In that case, it's just a matter of changing the DNS to point to the new server. Chances are you do not live in that world, however.  The next-best scenario is you have an app ("org_all_deploymentclients", for example) deployed to all clients that includes a deploymentclient.conf file.  If that's the case then just update the file with the new DS name/address and clients will pick it up and switch over automatically as they phone home. In the worst case, the clients have the DS specified in $SPLUNK_HOME/etc/system/local/deploymentclient.conf .  That file cannot be overridden by an app so you're a little stuck.  There are a few options: Manually sign in to each box and delete $SPLUNK_HOME/etc/system/local/deploymentclient.conf  so the org_all_deploymentclients app can provide the right info. Use automation to do the above Create an app containing a script that deletes the $SPLUNK_HOME/etc/system/local/deploymentclient.conf  file and deploy that script to each client.  Then the client can download org_all_deploymentclients and connect to the new DS.

Re: How to add the multiple timelines into one timeline.

by SplunkTrust in Splunk Search
‎12-07-2023 09:44 AM
‎12-07-2023 09:44 AM
This is confusing.  The order of output is determined by the order in which your data comes back from index search, not altered by bin command that @bowesmana suggests.  If your data input is not ord... See more...
This is confusing.  The order of output is determined by the order in which your data comes back from index search, not altered by bin command that @bowesmana suggests.  If your data input is not ordered, simply sort your data. | bin _time span=1h | sort _time