All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @tscroggins m this is the solution I tought, that I'd like to avoid: I'll try to persuade the customer to use the Universal Forwarder, otherwise I will create a translator from WinLogBeat to Splu... See more...
Hi @tscroggins m this is the solution I tought, that I'd like to avoid: I'll try to persuade the customer to use the Universal Forwarder, otherwise I will create a translator from WinLogBeat to Splunk_TA_Windows, as I did for Linux. Thank you. Ciao. Giuseppe
Hi @vishenps , if the updated apps aren't related, you can wait and restart once. It could be different if you have related apps (e.g. MLTK and Python) that I'd like to follow the proper restart se... See more...
Hi @vishenps , if the updated apps aren't related, you can wait and restart once. It could be different if you have related apps (e.g. MLTK and Python) that I'd like to follow the proper restart sequence. Ciao. Giuseppe
Hi the easiest way is look from MC (monitoring console). You could found it from Settings -> Monitoring Console. There select Indexing -> Indexes and Volumes -> Index details: Deployment It gives y... See more...
Hi the easiest way is look from MC (monitoring console). You could found it from Settings -> Monitoring Console. There select Indexing -> Indexes and Volumes -> Index details: Deployment It gives you a dashboard where is Earliest and Latest Event information. Then under Earliest value is magnifying class which you should click to get SPL which have generate that value.  When you want to get that value based on bucket type (warm, cold) you must update that query to calculate those values by fields: bucket_dirs.home.event_min_time and minTime (this should be cold bucket time). r. Ismo
Hi I cannot said this 100% for Cloud, but at least in OnPrem (I suppose that this is valid also for cloud), when you are updating those apps at the same time (within minutes etc.) you could update a... See more...
Hi I cannot said this 100% for Cloud, but at least in OnPrem (I suppose that this is valid also for cloud), when you are updating those apps at the same time (within minutes etc.) you could update all and after last update do restart. Of course if there is some special app or those apps are dependent for each other then it's better to do at least some restarts between updates. r. Ismo
Hi Community, Hope you are doing well. We have set the retention of each index for 1 year. (6 months data is searchable (Hot Mount or Cold Mount) and 6 months data is frozen (Archive Mount)) due to... See more...
Hi Community, Hope you are doing well. We have set the retention of each index for 1 year. (6 months data is searchable (Hot Mount or Cold Mount) and 6 months data is frozen (Archive Mount)) due to our compliance. Now i need to identify the Oldest data age for each index Hot Warm and Frozen. is the data bucket is present for one year or not in our mounts points ?  Share the command to identify the buckets age for each index Regards, Mehboob
Hi it's hard to say if anyone of those is directly affected to splunk, but usually it's a best practices to keep your OS and also other products up to date to avoid any security issues. You already ... See more...
Hi it's hard to say if anyone of those is directly affected to splunk, but usually it's a best practices to keep your OS and also other products up to date to avoid any security issues. You already have found Splunk's own security issue page which also should fulfil as soon as possible. r. Ismo
Hi Have you any document which describes your naming policy? Or should we just guess which part are standard like  (DR) Country-Cisco_Router-<IP>-<content> <IP>-Country-Server type-<host>-<user>... See more...
Hi Have you any document which describes your naming policy? Or should we just guess which part are standard like  (DR) Country-Cisco_Router-<IP>-<content> <IP>-Country-Server type-<host>-<user> etc. r. Ismo
Hello Splunk experts,  I'm pretty new to splunk and I would like your help in forming a query for the following requirement. I would like to create a bar chart for each OEM (total of 5 seperate b... See more...
Hello Splunk experts,  I'm pretty new to splunk and I would like your help in forming a query for the following requirement. I would like to create a bar chart for each OEM (total of 5 seperate bar charts widgets since we have 5 OEMs) based on the completion progress of NCAPTest. So, these events will be pushed to Splunk every Monday. The x-axis should show the timestamp(_time) in the following format(YYYY-MM-DD) and the y axis should show stacked bar graph where bottom portion of the bar should show completed count(NCAPTest=Yes) along with the completion percentage and the top portion should show the remaining count(NCAPTest=No). This is how the data looks like: 6 Nov, 2023 events: OEM Model Type NCAPTest Honda Civic Sedan No Honda CR-V SUV Yes Honda Fit Hatchback No VW Jetta Sedan Yes VW Tiguan SUV Yes VW Golf Hatchback No Tata Harrier SUV Yes Tata Tiago Hatchback No Tata Altroz Hatchback No Kia Seltos SUV No Kia Forte Sedan No Kia Rio Hatchback No Hyundai Elantra Sedan No Hyundai Kona SUV Yes Hyundai i20 Hatchback No   13 Nov 2023 events: Honda Civic Sedan Yes Honda CR-V SUV Yes Honda Fit Hatchback No VW Jetta Sedan Yes VW Tiguan SUV Yes VW Golf Hatchback No Tata Harrier SUV Yes Tata Tiago Hatchback No Tata Altroz Hatchback Yes Kia Seltos SUV No Kia Forte Sedan Yes Kia Rio Hatchback Yes Hyundai Elantra Sedan No Hyundai Kona SUV Yes Hyundai i20 Hatchback No   20 Nov 2023 events: Honda Civic Sedan Yes Honda CR-V SUV Yes Honda Fit Hatchback Yes VW Jetta Sedan Yes VW Tiguan SUV Yes VW Golf Hatchback Yes Tata Harrier SUV Yes Tata Tiago Hatchback Yes Tata Altroz Hatchback Yes Kia Seltos SUV Yes Kia Forte Sedan Yes Kia Rio Hatchback Yes Hyundai Elantra Sedan Yes Hyundai Kona SUV Yes Hyundai i20 Hatchback Yes   Any help is greatly appreciated. 
All the other solutions are tricky which needs more time, however for now i settled with SEDCMD which only works with custom sourcetype, while i am still exploring if i find anything which works i wi... See more...
All the other solutions are tricky which needs more time, however for now i settled with SEDCMD which only works with custom sourcetype, while i am still exploring if i find anything which works i will update this post.
Hello, I am trying to install Splunk onto Unbuntu server in Splunk. I cannot find CLI to do it  
Hi, I have log which the field name is called "name". The regex cannot get the hostname from the name field because have multiple scenario. Eg as below: (DR) HostA-AIX-172.0.0.0-root 01-HostA-10-C... See more...
Hi, I have log which the field name is called "name". The regex cannot get the hostname from the name field because have multiple scenario. Eg as below: (DR) HostA-AIX-172.0.0.0-root 01-HostA-10-Cambodia-Cisco_Router-10.0.0.0-root1 172.0.0.0-Malaysia-Windows Server 2016-HostA-admin 172.0.0.0 - HostA-Indonesia-Win2012-172.0.0.0-admin 3D-(DR) HostA-Win2003-172.0.0.0 [NAT IP 192.0.0.0] (dmin) AD-HostA.local-srv_AB_CDD HostA-India-Solaris10-172.0.0.0-root These are the sample inconsistent log that we need to get Hostname. The highlighted one should we get for the hostname. Please assist on this by creating new regex
Please elaborate on "it is not working".  What results are expecting and what results do you get?  Are you seeing anything at all from the UF in Splunk Cloud or is it just the monitored file that you... See more...
Please elaborate on "it is not working".  What results are expecting and what results do you get?  Are you seeing anything at all from the UF in Splunk Cloud or is it just the monitored file that you don't find?  How are you checking for the data?  Have you looked at splunkd.log on the UF for clues? I have edited your last reply to remove information anyone could have used to send random data to your Splunk Cloud instance.
Hi @tscroggins  @richgalloway  @PickleRick , In this below sample event  the C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe appears in both ParentParentName and NewProcessName, we mi... See more...
Hi @tscroggins  @richgalloway  @PickleRick , In this below sample event  the C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe appears in both ParentParentName and NewProcessName, we might need a specialized handling. Would you like help with a xml regex pattern to cover these conditions? <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4688</EventID><Version>2</Version><Level>0</Level><Task>13312</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-11-27T08:18:13.998467800Z'/><EventRecordID>151265209</EventRecordID><Correlation/><Execution ProcessID='4' ThreadID='11116'/><Channel>Security</Channel><Computer>xxvy.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='SubjectUserName'>Admin$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='NewProcessId'>0x3978</Data><Data Name='NewProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='TokenElevationType'>%%1936</Data><Data Name='ProcessId'>0x2f80</Data><Data Name='CommandLine'></Data><Data Name='TargetUserSid'>NULL SID</Data><Data Name='TargetUserName'>-</Data><Data Name='TargetDomainName'>-</Data><Data Name='TargetLogonId'>0x0</Data><Data Name='ParentProcessName'>C:\Program Files (x86)\Tanium\Tanium Client\TaniumClient.exe</Data><Data Name='MandatoryLabel'>Mandatory Label\System Mandatory Level</Data></EventData></Event> Can we use like this ? blacklist4 = $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="NewProcessName">(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>% blacklist5= $XmlRegex=%<Provider[^>]+Name="Microsoft-Windows-Security-Auditing"% $XmlRegex=%<EventID>4688<\/EventID>% $XmlRegex=%<Data Name="ParentProcessName">(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumClient\.exe)<\/Data>%      
Hi @Ka21, Splunk periodically releases updates to address vulnerabilities in libraries shipped with Splunk products. Browse to <https://advisory.splunk.com/> to review bulletins labeled "Third Party... See more...
Hi @Ka21, Splunk periodically releases updates to address vulnerabilities in libraries shipped with Splunk products. Browse to <https://advisory.splunk.com/> to review bulletins labeled "Third Party Package Updates in Splunk Enterprise" and "Splunk Universal Forwarder Third-Party Updates." For November 2023: November 2023 Third Party Package updates in Splunk Enterprise November 2023 Splunk Universal Forwarder Third-Party Updates Third Party Package Update in Splunk Add-on for Google Cloud Platform Third Party Package Update in Splunk Add-on for Amazon Web Services Re: Java, you'll need to review individual Java-based apps and add-ons--Splunk ITSI, Splunk DB Connect, etc.--for compatibility and upgrade the JRE as needed.
You can't do this construct | timechart count as totalNumberOfPatches by X | eval a=case(X=bla, 1...) because when you split a timechart by a field, the count AS totalNumberOfPatches does not resul... See more...
You can't do this construct | timechart count as totalNumberOfPatches by X | eval a=case(X=bla, 1...) because when you split a timechart by a field, the count AS totalNumberOfPatches does not result in a field called totalNumberOfPatches, but the fields are the names of the values of  the split by clause, in your case Computer_Name. I assume you have a stats rather than timechart, but as @richgalloway says, using dc() is the way to count distinct versions of a field.
The 'polite' way to put it would likely be "limited experienced with macros", the straight one would be "stupidity" I'll invest a little more time into this thing before I settle on a solution, t... See more...
The 'polite' way to put it would likely be "limited experienced with macros", the straight one would be "stupidity" I'll invest a little more time into this thing before I settle on a solution, thanks for the honest feedback!
Hi, thanks for the reply @richgalloway  All you said make sense.  However, there are few scenarios where this statements might be out of order. Let me justify what I think. Splunk SE accessible fr... See more...
Hi, thanks for the reply @richgalloway  All you said make sense.  However, there are few scenarios where this statements might be out of order. Let me justify what I think. Splunk SE accessible from outside? Do not think any on prem instance is designed to be remote accessable. Anything can be reached vIa a switch (IP + port). All can of course be configured to restrict Internet to Intranet communication. Not even considering insiders and how all even read only users handle queries they send to the SE switch URI etc. I am sure the following will change our perspective of what this may cause if ignored as low severity: https://blog.hrncirik.net/cve-2023-46214-analysis Attackers, attack as service plus AI capabilities makes it even harder for defenders to defend. We simply do not know what we do not know in most instances before they get announced as Zero days. Thanks
Hi @richgalloway , thanks for replying but even after following the mentioned steps it is not working. [httpout] httpEventCollectorToken = $...= uri = https://xxx.splunkcloud.com:8088 am i mi... See more...
Hi @richgalloway , thanks for replying but even after following the mentioned steps it is not working. [httpout] httpEventCollectorToken = $...= uri = https://xxx.splunkcloud.com:8088 am i missing anything here?
See https://docs.splunk.com/Documentation/Forwarder/9.1.2/Forwarder/Configureforwardingwithoutputs.conf#Configure_the_universal_forwarder_to_send_data_over_HTTP for the settings to use to send HEC fr... See more...
See https://docs.splunk.com/Documentation/Forwarder/9.1.2/Forwarder/Configureforwardingwithoutputs.conf#Configure_the_universal_forwarder_to_send_data_over_HTTP for the settings to use to send HEC from a UF.
Configure Universal forwarder to monitor a file and send to splunk cloud via HEC. By using curl, I'm able to hit the splunk cloud and I'm able to see the result but not sure how to configure Univers... See more...
Configure Universal forwarder to monitor a file and send to splunk cloud via HEC. By using curl, I'm able to hit the splunk cloud and I'm able to see the result but not sure how to configure Universal forwarder.