All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: Joining two index searches and print the common results

by in Splunk Search
‎11-28-2023 09:15 PM
‎11-28-2023 09:15 PM
Hi @gcusello  Thanks for your response, I need to print count of Test 2 correletion_ID with comparing the test 1 results common correletion_ID, Here the sample results I mentioned.   

How do I hide filters in Splunk Dashboard Studio?

by in Dashboards & Visualizations
‎11-28-2023 09:13 PM
‎11-28-2023 09:13 PM
please tell me. How do I hide filters in Splunk Dashboard Studio? Is it an XML-only option? XML → <form hideFilters="true"> JSON → ???
Labels

Re: Splunk

by SplunkTrust in Splunk Search
‎11-28-2023 09:11 PM
‎11-28-2023 09:11 PM
Hi @Muthu_Vinith , so what's its issue or different requirement? Ciao. Giuseppe

Re: Splunk

by in Splunk Search
‎11-28-2023 09:08 PM
‎11-28-2023 09:08 PM
Yes @gcusello 

Re: notable exist but incident review has no values

by SplunkTrust in Security
‎11-28-2023 09:04 PM
‎11-28-2023 09:04 PM
Hi @Mohamad_Alaa , did you inserted also the other values in the Correlation search panel? especially Action: create Notable with all the requested information? See the information in another Corr... See more...
Hi @Mohamad_Alaa , did you inserted also the other values in the Correlation search panel? especially Action: create Notable with all the requested information? See the information in another Correlation Search to understand if you forgot something. Ciao. Giuseppe

Re: Parsing host names when a single rex doesn't fit all possible character combinations

by SplunkTrust in Splunk Search
‎11-28-2023 09:00 PM
‎11-28-2023 09:00 PM
Hi @interloper , using the following regex, you can extract campus_site_code and  function fields that you can use for your checks: | rex "host\=\s*(?<campus_site_code>\w\d{3,5})(?<function>\w\w)" ... See more...
Hi @interloper , using the following regex, you can extract campus_site_code and  function fields that you can use for your checks: | rex "host\=\s*(?<campus_site_code>\w\d{3,5})(?<function>\w\w)" you can check this regex at https://regex101.com/r/3rZhAE/1 Ciao. Giuseppe

Re: Splunk

by SplunkTrust in Splunk Search
‎11-28-2023 08:54 PM
‎11-28-2023 08:54 PM
Hi @Muthu_Vinith , did you tested my approach? Ciao. Giuseppe

Re: Joining two index searches and print the common results

by SplunkTrust in Splunk Search
‎11-28-2023 08:52 PM
‎11-28-2023 08:52 PM
hi @parthiban , do you only that to be sure that the correlation_ID of the first search contains only correlation_IDs of the second you can use a subsearc: index = Test1 invoked_component="XXXX" "... See more...
hi @parthiban , do you only that to be sure that the correlation_ID of the first search contains only correlation_IDs of the second you can use a subsearc: index = Test1 invoked_component="XXXX" "genesys" correlation_id="*" message="Successfully received" [ search index = Test2 invoked_component="YYYY" correlation_id="*" message IN ("Successfully created" , "Successfully updated") | dedup correlation_id | fields correlation_id ] | stats count by correlation_id this method work only if you have less than 50,000 results in the subsearch, otherwise you have to try something like this: (index = Test1 invoked_component="XXXX" "genesys" correlation_id="*" message="Successfully received") OR (index = Test2 invoked_component="YYYY" correlation_id="*" message IN ("Successfully created" , "Successfully updated")) | stats dc(index) AS index_count count by correlation_id | where index_count=2 Ciao. Giuseppe

maxmind cannot updated

by in All Apps and Add-ons
‎11-28-2023 07:59 PM
‎11-28-2023 07:59 PM
hello everyone i check in log maxmind tracker get this error "Could not download MaxMind GeoIP MD5, exiting." how can i solve this ?    thankyou
Labels

Joining two index searches and print the common results

by in Splunk Search
‎11-28-2023 06:57 PM
‎11-28-2023 06:57 PM
Dear team, I need to join the two-index search and print the common ID's count. The below mentioned two different index it work independently, both the index having same correlation_ID but different... See more...
Dear team, I need to join the two-index search and print the common ID's count. The below mentioned two different index it work independently, both the index having same correlation_ID but different messages. So common correlation ID count for the both index need to print. index = Test1  invoked_component="XXXX" "genesys" correlation_id="*" message="Successfully received" | stats count by correlation_id index = Test2  invoked_component="YYYY" correlation_id="*" | where message IN ("Successfully created" , "Successfully updated") | stats count by correlation_id
Labels

Re: There was an error processing your request. It has been logged (ID xxxxxxX)

by in Getting Data In
‎11-28-2023 06:33 PM
‎11-28-2023 06:33 PM
i checked error this ERROR io.dropwizard.jersey.errors.LoggingExceptionMapper - Error handling a request: xxxxxxxx java.lang.NoClassDefFoundError: Could not initialize class java.awt.GraphicsEnviron... See more...
i checked error this ERROR io.dropwizard.jersey.errors.LoggingExceptionMapper - Error handling a request: xxxxxxxx java.lang.NoClassDefFoundError: Could not initialize class java.awt.GraphicsEnvironment   how i can solve this?

Parsing host names when a single rex doesn't fit all possible character combinations

by in Splunk Search
‎11-28-2023 05:40 PM
‎11-28-2023 05:40 PM
Is this even possible?! Any help will be appreciated. I need to search for specific text in a Windows host name that is located, by naming convention, after a 4, 5 or 6 character campus site code. T... See more...
Is this even possible?! Any help will be appreciated. I need to search for specific text in a Windows host name that is located, by naming convention, after a 4, 5 or 6 character campus site code. The specific text identifies the function of the host (e.g., print server, database server, domain controller, etc.). For example (these host names are simplified to illustrate the problem): 1.)    host=L004PS4bldDC7, the campus site code is “L004” and the function code is “PS” 2.)    host= L0005DB5bldPS, the campus site code is “L0005” and the function code is “DB” 3.)    host=L00006DC6rDB1, the campus site code is “L00006” and the function code is “DC” The data I’m searching through has 200+ campus site codes, each of which can be 4, 5 or 6 characters and each search will return 1000+ events. We are using a lookup to identify the campus site attribute from the host name. Using the same process doesn’t work for the function code. The characters following the function code are determined by the campus site admins and used to identify the physical location of each host on their campus (building name or room number). These physical location codes sometimes contain characters that match a function code required by the naming convention. For instance, if I search for events or metrics from print servers using *PS*, I also get them from non-print servers like host #2 above.
Labels

Re: tstats distinct_count returns an incorrect value on high cardinality source field

by SplunkTrust in Splunk Search
‎11-28-2023 03:57 PM
‎11-28-2023 03:57 PM
There is a flag you can give to tstats - chunk_size - see the docs here https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/tstats It talks about high cardinality distinct counts - y... See more...
There is a flag you can give to tstats - chunk_size - see the docs here https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/tstats It talks about high cardinality distinct counts - you could experiment to see if that makes a difference  

Re: latest time values in search query

by SplunkTrust in Splunk Search
‎11-28-2023 03:18 PM
‎11-28-2023 03:18 PM
Try something like this for 2 index=newdata sourcetype=oracle source="/u0/DATA_COUNT.txt" loglevel="ERROR" [| makeresults | addinfo | eval earliest=relative_time(info_max_time,"-5m") | eval latest=i... See more...
Try something like this for 2 index=newdata sourcetype=oracle source="/u0/DATA_COUNT.txt" loglevel="ERROR" [| makeresults | addinfo | eval earliest=relative_time(info_max_time,"-5m") | eval latest=info_max_time | table earliest latest] | stats dc(loglevel) by INSTANCE_NAME

Re: How to extract fields from raw event with rex?

by SplunkTrust in Splunk Cloud Platform
‎11-28-2023 03:07 PM
‎11-28-2023 03:07 PM
| rex "output,1.*?(?<output1>\d+\s+rows)" | rex "output,6.*?(?<output6>\d+\s+records)"

notable exist but incident review has no values

by in Security
‎11-28-2023 02:42 PM
‎11-28-2023 02:42 PM
I created a manual correlation search with the below SPL --> the action is notable creation splunk_server=* index=* host=x.x.x.x "login" | stats count by src_ip | where count > 3 after that i can... See more...
I created a manual correlation search with the below SPL --> the action is notable creation splunk_server=* index=* host=x.x.x.x "login" | stats count by src_ip | where count > 3 after that i can see the notable created from the search tab index=notable but still the incident review has no values any hints guys?

llmnr poisening

by in All Apps and Add-ons
‎11-28-2023 02:42 PM
‎11-28-2023 02:42 PM
How to create a detection rule on the LLMNR with sysmon or wineventlog, im kinda new to splunk
Labels

How to extract fields from raw event with rex?

by in Splunk Cloud Platform
‎11-28-2023 02:15 PM
‎11-28-2023 02:15 PM
Hello Splunkers,    I wanted to extract  output1 and output6 fields from raw event Example Event1: Message : output,1: The guess/tmp/var/tms/bmp_abcd/apm_salesforce/address_standardplot/service... See more...
Hello Splunkers,    I wanted to extract  output1 and output6 fields from raw event Example Event1: Message : output,1: The guess/tmp/var/tms/bmp_abcd/apm_salesforce/address_standardplot/serviceinput/AddressStandardiplot_S3_VariousDmsJob_V9_apm_unmatch_AVI-pct-STANDARD_123456789_9912333333-f12f-5cb9-aa10-9d101188ad47.banana.2 file, which contains 456 rows, was written to the standardplot-s3-abc-dev-005 bucket. Example Event 2 Message : output,6: Input 0 consumed 123 records. desired result output1=456 rows output6=123 records Message field is also not auto extracted by Splunk. May need to use |rex field=_raw........ Please Advise  
Labels

EWS for Office 365 depreciation alternative

by in Splunk SOAR
‎11-28-2023 02:12 PM
‎11-28-2023 02:12 PM
I need to be able to perform a search in Splunk for a message ID and identify all the users that received it. We currently have a SOAR playbook that uses the Microsoft EWS API, but that has been depr... See more...
I need to be able to perform a search in Splunk for a message ID and identify all the users that received it. We currently have a SOAR playbook that uses the Microsoft EWS API, but that has been depreciated. As far as I know, Graph API (the replacement) does not have an end point for a full message trace. Does anyone have a better alternative?

Re: tstats with count() works but dc() produces 0 results

by in Splunk Search
‎11-28-2023 01:46 PM
‎11-28-2023 01:46 PM
As far as I could tell, it was some type of silent memory or data limit. I got away with using estdc() instead, since 100% accuracy wasn't required for my use case. You can try limiting the time fra... See more...
As far as I could tell, it was some type of silent memory or data limit. I got away with using estdc() instead, since 100% accuracy wasn't required for my use case. You can try limiting the time frame or amount of events and see where it starts breaking with dc(). I'm not sure how to fix the issue. Maybe a config limit or just more memory on the server.