Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-29-2023
04:48 AM
That is a different question (which has been answered many times before). Essentially, you make you field a multivalue field and hide the second value with CSS, but you can sill use the (hidden) valu...
See more...
That is a different question (which has been answered many times before). Essentially, you make you field a multivalue field and hide the second value with CSS, but you can sill use the (hidden) value to select the colour by expression. Solved: Re: Highlight row if unique values exist within dy... - Splunk Community
11-29-2023
04:46 AM
I would like to compare total throughput for two dates 60 days apart (say, current and -60d). The query in the CMC that generates the throughput is
index=_internal (host=`sim_indexer_url` OR host=...
See more...
I would like to compare total throughput for two dates 60 days apart (say, current and -60d). The query in the CMC that generates the throughput is
index=_internal (host=`sim_indexer_url` OR host=`sim_si_url`) sourcetype=splunkd group=per_Index_thruput series!=_*
| timechart minspan=30s per_second(kb) as kb by series
I need the series information, but it could be binned into 1 whole day.
Labels
- Labels:
-
monitoring console
11-29-2023
04:41 AM
I'm having trouble to use any action with a IPV6 value, any action of any app that I try to use a IPV6 on it, they return me this error. Nov 29, 09:25:17 : 'add_element_1' on asset 'akamai original'...
See more...
I'm having trouble to use any action with a IPV6 value, any action of any app that I try to use a IPV6 on it, they return me this error. Nov 29, 09:25:17 : 'add_element_1' on asset 'akamai original': 1 action failed. (1)For Parameter: {"context":{"artifact_id":0,"guid":"857e066c-de68-4109-a58b-ee1e515b01dd","parent_action_run":[]},"elements":"2804:1b3:ac03:a6dd:d941:1714:85bb:8b4","networklistid":"7168_ORIGINALBLACKLIST"} Message: "Parameter 'elements' failed validation" Nov 29, 09:25:17 : 'add_element_1' on asset 'akamai original' completed with status: 'failed'. Action Info: Size : 336 bytes : [{"app_name":"Akamai WAF","asset_name":"akamai original","param":{"context": {"guid": "857e066c-de68-4109-a58b-ee1e515b01dd", "artifact_id": 0, "parent_action_run": []}, "elements": "2804:1b3:ac03:a6dd:d941:1714:85bb:8b4", "networklistid": "7168_ORIGINALBLACKLIST"},"status":"failed","message":"Parameter 'elements' failed validation"}] Always I receive a message "Parameter 'elements' failed validation", in that case is a app to add a IP on a Akamai network list. If anyone is achieving use IPV6 I will be glad if you can share with me. Thanks.
Labels
- Labels:
-
using Splunk Cloud
11-29-2023
04:37 AM
Hi Team, I came across an issue where I have below sample logs in a file 15:30:31.396|Info|Response ErrorMessage: || 15:30:36.610|Info|Logging Rest Client Request...|| 15:30:36.610|Info|Request U...
See more...
Hi Team, I came across an issue where I have below sample logs in a file 15:30:31.396|Info|Response ErrorMessage: || 15:30:36.610|Info|Logging Rest Client Request...|| 15:30:36.610|Info|Request Uri: https://abc-domain/api/xy/Identify|| 15:30:36.694|Info|Logging Rest Client Response...|| 15:30:36.694|Info|Response Status Code: 401|| 15:30:36.710|Info|Response Status Description: Unauthorized|| 15:30:36.741|Info|Response Content: || 15:30:36.741|Info|Response ErrorMessage: || 15:30:36.762|Info|Logging Rest Client Request...|| I am using splunk forwarder version splunkforwarder-8.2.4-87e2dda940d1-x64-release with below prop.conf settings [xyz:mnl]
LB_CHUNK_BREAKER = ([\r\n]+) On splunk portal I am not getting one line as a one event instead I am getting multiple lines as a single event like below
- Tags:
- Universal Forwarder
Labels
11-29-2023
04:36 AM
2 Karma
Just in case if someone is still looking for an answer to this, go to ES Threat Intelligence Management and click New ->TAXII Url : https://otx.alienvault.com/taxii/collections Post Arguments: ...
See more...
Just in case if someone is still looking for an answer to this, go to ES Threat Intelligence Management and click New ->TAXII Url : https://otx.alienvault.com/taxii/collections Post Arguments: collection=user_AlienVault taxii_username=xxxxxxxxxxxxxyourAPIKeyHerexxxxxxxxx taxii_password=foo Cheers!
11-29-2023
04:32 AM
1 Karma
Hey @Splunkerninja, I used makeresults to get a statistical table as provided in the question. You can use the below query to identify a User that has ID to be "AD" and "AR9" | makeresults
| eval ...
See more...
Hey @Splunkerninja, I used makeresults to get a statistical table as provided in the question. You can use the below query to identify a User that has ID to be "AD" and "AR9" | makeresults
| eval User="John", ID="AD"
| append
[| makeresults
| eval User="John", ID="AY9"]
| append
[| makeresults
| eval User="Riya", ID="AD"]
| append
[| makeresults
| eval User="Toby", ID="AR9"]
| append
[| makeresults
| eval User="Nathan", ID="AD"]
| append
[| makeresults
| eval User="Nathan", ID="AR9"]
| append
[| makeresults
| eval User="Sam", ID="AD"]
| append
[| makeresults
| eval User="Sam", ID="AR9"]
| fields - _time
| table User ID
| stats values(ID) as ID by User
| mvcombine ID delim=""
| eval match=if(match(ID,"AD AR9"),1,0)
| search match="1" Thanks, Tejas. --- If the above solution is helpful, an upvote is appreciated.
11-29-2023
04:29 AM
1 Karma
Try something like this | makeresults format=csv data="A,B,C,D,E,F
0.1,b1,0.1,d1,0.1,f1
0.11,b2,0.2,d2,0.35,f2
0.2,b3,0.3,d3,0.9,f3
0.22,b4,,,1.0,f4
0.4,b5
0.5,b6
0.55,b7
0.9,b8"
| table A B C D E F...
See more...
Try something like this | makeresults format=csv data="A,B,C,D,E,F
0.1,b1,0.1,d1,0.1,f1
0.11,b2,0.2,d2,0.35,f2
0.2,b3,0.3,d3,0.9,f3
0.22,b4,,,1.0,f4
0.4,b5
0.5,b6
0.55,b7
0.9,b8"
| table A B C D E F
``` The lines above create dummy event data in line with your example (it is often helpful if you had provided this yourself) ```
| appendpipe
[| rename A as a
| rename B as b
| eval C=null()
| eval D=null()
| eval E=null()
| eval F=null()]
| fields - A B
| appendpipe
[| where isnotnull(C)
| eval A=null()
| eval B=null()
| eval a=C
| rename C as c
| rename D as d
| eval E=null()
| eval F=null()]
| fields - C D
| appendpipe
[| where isnotnull(E)
| eval A=null()
| eval B=null()
| eval C=null()
| eval D=null()
| eval a=E
| rename E as e
| rename F as f]
| fields - E F
| where isnotnull(a)
| stats values(*) as * by a
| rename a as A
| rename b as B
| rename c as C
| rename d as D
| rename e as E
| rename f as F
11-29-2023
04:28 AM
Yeah I got it Thanks @gcusello
11-29-2023
04:20 AM
I added specifically the index, still having same issue I noticed the below as well ""App configuration The "Splunk Common Information Model" app has not been fully configured yet.This app has con...
See more...
I added specifically the index, still having same issue I noticed the below as well ""App configuration The "Splunk Common Information Model" app has not been fully configured yet.This app has configuration properties that can be customized for this Splunk instance. Depending on the app, these properties may or may not be required."" but not sure how to proceed already index was added and some data models were accelerated, i only have same button not a next or proceed button
11-29-2023
04:19 AM
but I have 2 fields, and I want to color the first field according to the value of the second field- if true then color it red. the fields are defined as eval in query. thank you
- Tags:
- @ITWhisperer
11-29-2023
04:10 AM
We have a situation where the application sends the logs in syslog format. But we don't have a Syslog server to receive it. Instead, can we make the UF (installed in the same app server) receive tho...
See more...
We have a situation where the application sends the logs in syslog format. But we don't have a Syslog server to receive it. Instead, can we make the UF (installed in the same app server) receive those syslog events and forward them to Splunk Cloud? Note: We don't have the physical location of the logs in the app server to monitor using UF
- Tags:
- Splunk Cloud
Labels
- Labels:
-
inputs.conf
-
syslog
-
universal forwarder
-
Windows
11-29-2023
04:04 AM
1 Karma
Hey @SplunkExplorer, It seems that a few hosts are sending in classical text format and not in XML format. And yes, you can run the btool command to identify the parameter setting. Below is the btoo...
See more...
Hey @SplunkExplorer, It seems that a few hosts are sending in classical text format and not in XML format. And yes, you can run the btool command to identify the parameter setting. Below is the btool command for your reference: $SPLUNK_HOME/bin/splunk btool inputs list WinEventLog://Security --debug | grep renderXml
11-29-2023
04:01 AM
Hi, I want to display the result only for users who has both ID AR9 & AD. Below is sample data, I have about 10k results being generated with multiple values but i need to display only those users...
See more...
Hi, I want to display the result only for users who has both ID AR9 & AD. Below is sample data, I have about 10k results being generated with multiple values but i need to display only those users who has ID both AR9 & AD USER ID John AD John AY9 Riya AD Toby AR9 Nathan AD Nathan AR9 Sam AD Sam AR9 Thanks!
Labels
11-29-2023
03:49 AM
solved it by changing to stats. thanks
11-29-2023
03:48 AM
at the same time i have a message The search "Network - Traffic Volume Per 30m - Model Gen" is related to the correlation search "Network - Unusual Volume of Network Activity - Rule" but it is not e...
See more...
at the same time i have a message The search "Network - Traffic Volume Per 30m - Model Gen" is related to the correlation search "Network - Unusual Volume of Network Activity - Rule" but it is not enabled even though the correlation search is; this will cause the correlation to fail
11-29-2023
03:48 AM
so what sould i do ? replacing it with timechart returns also no results
11-29-2023
03:47 AM
Hi @ITWhisperer , Actually I created the data by hand to kind of simplify the actual situation. Data is unfortunately sensitive and I cannot show too much. I did not use any appendcol for the actual...
See more...
Hi @ITWhisperer , Actually I created the data by hand to kind of simplify the actual situation. Data is unfortunately sensitive and I cannot show too much. I did not use any appendcol for the actual data but eval with if conditions. Thanks.
11-29-2023
03:44 AM
Sorry, I missed the chart command on your first line. This is the command which is removing the timestamps.
11-29-2023
03:43 AM
It looks like your sample data has been created with a couple of appendcols. If this is the case, perhaps it would be easier to go back a step and try and create your desired output from the original...
See more...
It looks like your sample data has been created with a couple of appendcols. If this is the case, perhaps it would be easier to go back a step and try and create your desired output from the original searches?
Hi All, I am having a very wierd issue where I cannot see report in Splunk UI. When I search using Filter: All, I can see the report but when I set the filter to 0, I get 'no searches, reports, ...
See more...
Hi All, I am having a very wierd issue where I cannot see report in Splunk UI. When I search using Filter: All, I can see the report but when I set the filter to 0, I get 'no searches, reports, and alerts found'. This couldn't be the case of visibilty as the configuration isn't set in the conf file. These are the set specs in the conf file, attched below for reference. I have also attached the metadata file as there is no access control information set for the specific saved search. There are 6 more savedsearches which I can see when I filter using Report, but not this sepcific one. No clue how the report is not found during the filter. Thanks in advance. Pravin
Labels
- Labels:
-
administration
-
configuration
