All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Without seeing the events, it is difficult to know what to suggest. Hopefully, previous answers will at least give you some ideas.
Try something like this <drilldown> <eval token="start_time">if(isnull($row._time$),$field1.earliest$,$row._time$)</eval> <eval token="end_time">if(isnull($row._time$),$f... See more...
Try something like this <drilldown> <eval token="start_time">if(isnull($row._time$),$field1.earliest$,$row._time$)</eval> <eval token="end_time">if(isnull($row._time$),$field1.latest$,($row._time$ + $row._span$))</eval> <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0D%0ANOT%20%22*ivss-test*%22%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0D%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0D%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0D%0ANOT%20(SourceName%3DLogging)%0D%0ANOT%20(SourceName%3DADFSAuth)%0D%0ANOT%20(SourceName%3DSchannel)%0D%0ANOT%20%22*PackageExtractor.exe*%22%0D%0ANOT%20%22*w3wp.exe*%22%0D%0ANOT%20%22*openssl.exe*%22%0D%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0D%0A%7C%20eval%20AppName%20%3D%20case(%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*Mailer(*%22)%2C%20%22Mailer%22%2C%20%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*SPackager(*%22)%2C%20%22SPackager%22%2C%20%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*Hancock(Ver%3A*%22)%2C%20%22Hancock%22%2C%20%0D%0A(SourceName%3D%22KmsService%22%20AND%20Message%3D%22*GVMSAuth(Ver%3A*%22)%2C%20%22GVMSAuth%22%2C%20%0D%0A(source%3D%22Cloud.SecurePnC%22)%2C%20%22Cloud_SecurePnC%22%2C%0D%0A(source%3D%22ivssspd%22)%2C%20%22SecurePackageDelivery%22%2C%0D%0A(sourcetype%3D%22WinEventLog%3ASystem%22%20AND%20EventCode%3D5074)%2C%20%22AppPool_Restarts%22%2C%0D%0A(source%3D%22ivsscs%22%20AND%20'Properties.Service'%3D%22SecureConnect%22)%2C%20%22Cloud_SecureConnect%22%2C%0D%0A(source%3D%22ivsscs%22%20AND%20'Properties.Service'%3D%22SecureMessage%22)%2C%20%22Cloud_SecureMessage%22%2C%0D%0A(source%3D%22ivsscs%22%20AND%20'Properties.Service'%3D%22FPackager%22)%2C%20%22Cloud_FPackager%22%2C%0D%0A(SourceName%3D%22IVSSCS%22%20AND%20match(_raw%2C%20%22.*Service%20%3D%20SecureMessage.*%22))%2C%20%22SecureMessage%22%2C%0D%0A(SourceName%3D%22IVSSCS%22%20AND%20match(_raw%2C%20%22.*Service%20%3D%20SecureConnect.*%22))%2C%20%22SecureConnect%22%2C%0D%0A(SourceName%3D%22KmsService%22)%2C%20%22KmsService%22%2C%0D%0A(SourceName%3D%22AutoSigner%22)%2C%20%22AutoSigner%22%2C%0D%0A(SourceName%3D%22DebugToken%22)%2C%20%22DebugToken%22%2C%0D%0A(SourceName%3D%22FlashbackCache%22)%2C%20%22FlashbackCache%22%2C%0D%0A(SourceName%3D%22KeyBundler%22)%2C%20%22KeyBundler%22%2C%0D%0A(SourceName%3D%22SecureModuleCore%22)%2C%20%22SecureModuleCore%22%2C%0D%0A(SourceName%3D%22SecureOTACore%22)%2C%20%22SecureOTACore%22%2C%0D%0A(SourceName%3D%22SecurePaaK%22)%2C%20%22SecurePaaK%22%2C%0D%0A(SourceName%3D%22SecurePayloadCore%22)%2C%20%22SecurePayloadCore%22%2C%0D%0A(SourceName%3D%22SecurePnCCore%22)%2C%20%22SecurePnCCore%22%2C%0D%0A(SourceName%3D%22SecureRekey%22)%2C%20%22SecureRekey%22%2C%0D%0A(SourceName%3D%22SecureSigner%22)%2C%20%22SecureSigner%22%2C%0D%0A(SourceName%3D%22SupplierFeed%22)%2C%20%22SupplierFeed%22%2C%0D%0A(SourceName%3D%22TRON%22)%2C%20%22TRON%22%2C%0D%0A(SourceName%3D%22WSLAgent5%22)%2C%20%22WSLAgent5%22%2C%0D%0A(SourceName%3D%22MMU%22)%2C%20%22MMU%22%2C%0D%0A1%3D%3D1%2C%20%22Other%22)%0D%0A%7C%20where%20AppName%3D&quot;$click.name2$&quot;&amp;earliest=$start_time$&amp;latest=$end_time$</link> </drilldown>
It looks correct.  The events are timestamped in UTC, but the props.conf says to convert times to Americas/Chicago, which is 6 hours behind UTC. I recommend changing the props to extract the time zo... See more...
It looks correct.  The events are timestamped in UTC, but the props.conf says to convert times to Americas/Chicago, which is 6 hours behind UTC. I recommend changing the props to extract the time zone from the timestamp. [app_log] CHARSET=UTF-8 LINE_BREAKER=([\r\n]+)\d+\-\d+\-\d+\s\d+\:\d+\:\d+\w NO_BINARY_CHECK=true SHOULD_LINEMERGE=false disabled=false TIME_FORMAT=%Y-%m-%d %H:%M:%S%Z TIME_PREFIX=^
I'm trying to corral a string into new field and value and having trouble. I've used eval / split / mvexpand.... The string looks like this. Its actually a field in an event: field_id=/key1/value1/... See more...
I'm trying to corral a string into new field and value and having trouble. I've used eval / split / mvexpand.... The string looks like this. Its actually a field in an event: field_id=/key1/value1/key2/value2/key3/value3/key4/value4 The end goal is to have new fields. Like: field_key1=value1 filed_key2=value2 So i can now search, for example, if field_key1='the value of something"      
Looks good to me.  Of course, change "mysourcetype" to the actual sourcetype name.
For a better and easy, you can use below SPL and replace your index name for any duplicates in Splunk. index=* | stats count by _raw, index, sourcetype, source, host | where count>1  
great - I removed the "|u" from the token in the link, in case that might not escape the double quotes, but the search window went back to jsut showing the token name, not value.  I put the "|u" back... See more...
great - I removed the "|u" from the token in the link, in case that might not escape the double quotes, but the search window went back to jsut showing the token name, not value.  I put the "|u" back, but the search window is now persisting showing the token name, not value.  it's almost like the splunk xml parser is behaving inconsistently.
I have this props.conf TIME is almost 6hrs off from the event time. Below is my props. [app_log] CHARSET=UTF-8 LINE_BREAKER=([\r\n]+)\d+\-\d+\-\d+\s\d+\:\d+\:\d+\w NO_BINARY_CHECK=true SHOULD_LI... See more...
I have this props.conf TIME is almost 6hrs off from the event time. Below is my props. [app_log] CHARSET=UTF-8 LINE_BREAKER=([\r\n]+)\d+\-\d+\-\d+\s\d+\:\d+\:\d+\w NO_BINARY_CHECK=true SHOULD_LINEMERGE=false disabled=false TIME_FORMAT=%Y-%m-%d %H:%M:%S TIME_PREFIX=^ TZ=US/Central   Sample log:-   This is event time which is ingesting fine "2023-11-14 10:59:58Z" 2023-11-14 10:59:58Z stevelog Closed Successfully 2023-11-14 10:59:58Z stevelog_close 2023-11-14 10:59:58Z Resetting CWD back from C:\WINDOWS\SysWOW64\inetsrv 2023-11-14 10:59:58Z Resetting CWD complete, back too C:\WINDOWS\SysWOW64\inetsrv 2023-11-14 10:59:58Z steveEngineMain Thread ====================> END   The actual TIME is 6hrs how than event time. Please find the attached screen and request you to let me know what the time difference.      
I tried removing all my custom xml & use the drilldown ui to generate the evals.  then I went to the xml to add the link back in.  interestingly, the value for the token app_query is getting passed t... See more...
I tried removing all my custom xml & use the drilldown ui to generate the evals.  then I went to the xml to add the link back in.  interestingly, the value for the token app_query is getting passed to the new search window, but it is url escaped, so the query returns no results.  
just tried, same result <form version="1.1" theme="dark"> <label>Error Overview</label> <description>These charts only show apps having errors in the selected time frame</description> <fie... See more...
just tried, same result <form version="1.1" theme="dark"> <label>Error Overview</label> <description>These charts only show apps having errors in the selected time frame</description> <fieldset submitButton="false"> <input type="time" token="field1"> <label></label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> </fieldset> <row> <panel> <title>Across Time</title> <chart> <search> <query>(index=ivss OR index=hec_18399_na_prod) NOT "*ivss-test*" NOT (SourceName=Microsoft-Windows-CAPI2) NOT (SourceName=Microsoft-Windows-DistributedCOM) NOT (SourceName="Microsoft WSE 3.0") NOT (SourceName=Microsoft-Windows-GroupPolicy) NOT (SourceName=Microsoft-Windows-Eventlog) NOT (SourceName=Logging) NOT (SourceName=ADFSAuth) NOT (SourceName=Schannel) NOT "*PackageExtractor.exe*" NOT "*w3wp.exe*" NOT "*openssl.exe*" (Type="Error" OR Level="Error") | eval AppName = case( (SourceName="KmsService" AND Message="*Mailer(*"), "Mailer", (SourceName="KmsService" AND Message="*SPackager(*"), "SPackager", (SourceName="KmsService" AND Message="*Hancock(Ver:*"), "Hancock", (SourceName="KmsService" AND Message="*GVMSAuth(Ver:*"), "GVMSAuth", (source="Cloud.SecurePnC"), "Cloud_SecurePnC", (source="ivssspd"), "SecurePackageDelivery", (sourcetype="WinEventLog:System" AND EventCode=5074), "AppPool_Restarts", (source="ivsscs" AND 'Properties.Service'="SecureConnect"), "Cloud_SecureConnect", (source="ivsscs" AND 'Properties.Service'="SecureMessage"), "Cloud_SecureMessage", (source="ivsscs" AND 'Properties.Service'="FPackager"), "Cloud_FPackager", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureMessage.*")), "SecureMessage", (SourceName="IVSSCS" AND match(_raw, ".*Service = SecureConnect.*")), "SecureConnect", (SourceName="KmsService"), "KmsService", (SourceName="AutoSigner"), "AutoSigner", (SourceName="DebugToken"), "DebugToken", (SourceName="FlashbackCache"), "FlashbackCache", (SourceName="KeyBundler"), "KeyBundler", (SourceName="SecureModuleCore"), "SecureModuleCore", (SourceName="SecureOTACore"), "SecureOTACore", (SourceName="SecurePaaK"), "SecurePaaK", (SourceName="SecurePayloadCore"), "SecurePayloadCore", (SourceName="SecurePnCCore"), "SecurePnCCore", (SourceName="SecureRekey"), "SecureRekey", (SourceName="SecureSigner"), "SecureSigner", (SourceName="SupplierFeed"), "SupplierFeed", (SourceName="TRON"), "TRON", (SourceName="WSLAgent5"), "WSLAgent5", (SourceName="MMU"), "MMU", 1==1, "Other") | timechart usenull=f useother=f limit=0 span=1h count by AppName</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="charting.axisTitleX.visibility">collapsed</option> <option name="charting.chart">line</option> <option name="charting.drilldown">all</option> <option name="height">500</option> <option name="refresh.display">progressbar</option> <drilldown target="_blank"> <eval token="app_query">case($click.name2$=="Mailer", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Mailer(*&quot;)",$click.name2$=="SPackager", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*SPackager(*&quot;)",$click.name2$=="Hancock", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*Hancock(Ver:*&quot;)",$click.name2$=="GVMSAuth", "(SourceName=&quot;KmsService&quot; AND Message=&quot;*GVMSAuth(Ver:*&quot;)",$click.name2$=="Cloud_SecurePnC", "(source=&quot;Cloud.SecurePnC&quot;)",$click.name2$=="SecurePackageDelivery", "(source=&quot;ivssspd&quot;)",$click.name2$=="AppPool_Restarts", "(sourcetype=&quot;WinEventLog:System&quot; AND EventCode=5074)",$click.name2$=="Cloud_SecureConnect", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureConnect&quot;)",$click.name2$=="Cloud_SecureMessage", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;SecureMessage&quot;)",$click.name2$=="Cloud_FPackager", "(source=&quot;ivsscs&quot; AND Properties.Service=&quot;FPackager&quot;)",$click.name2$=="SecureMessage", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureMessage*&quot;)",$click.name2$=="SecureConnect", "(SourceName=&quot;IVSSCS&quot; AND &quot;*Service = SecureConnect*&quot;)",$click.name2$=="KmsService", "(SourceName=&quot;KmsService&quot;)",$click.name2$=="AutoSigner", "(SourceName=&quot;AutoSigner&quot;)",$click.name2$=="DebugToken", "(SourceName=&quot;DebugToken&quot;)",$click.name2$=="FlashbackCache", "(SourceName=&quot;FlashbackCache&quot;)",$click.name2$=="KeyBundler", "(SourceName=&quot;KeyBundler&quot;)",$click.name2$=="SecureModuleCore", "(SourceName=&quot;SecureModuleCore&quot;)",$click.name2$=="SecureOTACore", "(SourceName=&quot;SecureOTACore&quot;)",$click.name2$=="SecurePaaK", "(SourceName=&quot;SecurePaaK&quot;)",$click.name2$=="SecurePayloadCore", "(SourceName=&quot;SecurePayloadCore&quot;)",$click.name2$=="SecurePnCCore", "(SourceName=&quot;SecurePnCCore&quot;)",$click.name2$=="SecureRekey", "(SourceName=&quot;SecureRekey&quot;)",$click.name2$=="SecureSigner", "(SourceName=&quot;SecureSigner&quot;)",$click.name2$=="SupplierFeed", "(SourceName=&quot;SupplierFeed&quot;)",$click.name2$=="TRON", "(SourceName=&quot;TRON&quot;)",$click.name2$=="WSLAgent5", "(SourceName=&quot;WSLAgent5&quot;)",$click.name2$=="MMU", "(SourceName=&quot;MMU&quot;)")</eval> <eval token="start_time">if(isnull($row._time$),$field1.earliest$,$row._time$)</eval> <eval token="end_time">if(isnull($row._time$),$field1.latest$,($row._time$ + $row._span$))</eval> <link target="_blank">search?q=(index%3Divss%20OR%20index%3Dhec_18399_na_prod)%0ANOT%20%22*ivss-test*%22%0ANOT%20(SourceName%3DMicrosoft-Windows-CAPI2)%0ANOT%20(SourceName%3DMicrosoft-Windows-DistributedCOM)%0ANOT%20(SourceName%3D%22Microsoft%20WSE%203.0%22)%0ANOT%20(SourceName%3DMicrosoft-Windows-GroupPolicy)%0ANOT%20(SourceName%3DMicrosoft-Windows-Eventlog)%0ANOT%20(SourceName%3DLogging)%0ANOT%20(SourceName%3DADFSAuth)%0ANOT%20(SourceName%3DSchannel)%0ANOT%20%22*PackageExtractor.exe*%22%0ANOT%20%22*w3wp.exe*%22%0ANOT%20%22*openssl.exe*%22%0A(Type%3D%22Error%22%20OR%20Level%3D%22Error%22)%0A$app_query|u$&amp;earliest=$start_time$&amp;latest=$end_time$</link> </drilldown> </chart> </panel> </row> </form>    
I'm creating an alert to notify oracle database administrators  when a  db_connect connection has failed. I have created the query to return the name of the failed connection using the splunk _intern... See more...
I'm creating an alert to notify oracle database administrators  when a  db_connect connection has failed. I have created the query to return the name of the failed connection using the splunk _internal logs. However, I would like to include the hostname and default database that are defined in the connection.  I have not been able to locate logs with the connection host and default database using the connection name as the search criteria. Is there a REST or CURL command available that retrieves the host and default database (using the connection name as input) that I can  use to join with my  completed query that retrieves failed connections? Thanks In Advance.  
Hi @richgalloway , my final tranforms.conf and props.conf looks like this correct if format is not valid [key_value_pair] REGEX = (\w+)=(.*?)(?=\s\w+=|$) FORMAT = $1::$2 props.conf [mysourc... See more...
Hi @richgalloway , my final tranforms.conf and props.conf looks like this correct if format is not valid [key_value_pair] REGEX = (\w+)=(.*?)(?=\s\w+=|$) FORMAT = $1::$2 props.conf [mysourcetype] category = Custom description = Secret Server  EXTRACT-event_id_name = \|Secret Server\|[^\|]*\|(?<event_id>[^\|]*)\|(?<event_name>[^\|]*)\| #REPORT-key_value_pair = key_value_pair KV_MODE = auto SEDCMD-rm_cs2 = s/(cs2=.*?(cs|\s*$))/\2/ SEDCMD-rm_cs2Label = s/(cs2Label=.*?(cs|\s*$))/\2/ EVAL-group = if(match(cs2, "^Secret Server"), cs2, null()) EVAL-user = if(match(cs2, "^Secret Server"), null(), cs2) Thanks Thanks
Is the app (Cisco Secure eStreamer Client Add-On[https://splunkbase.splunk.com/app/3662]) even usable on splunkcloud? I can install it from the "browse more apps" page in the cloud app management are... See more...
Is the app (Cisco Secure eStreamer Client Add-On[https://splunkbase.splunk.com/app/3662]) even usable on splunkcloud? I can install it from the "browse more apps" page in the cloud app management area, but it seems i will not be able to set it up or use it, as 1) it requires you to edit a config file on disk; 2) it writes the data it retreives from Cisco to a local disk; 3) it is not possible to create a disk monitor in splunkcloud.  Only real option seems to be to use a heavy forwarder. Any suggestions?
OK so that's not the actual event. So, going by what you have shared, try this | where matching="[mobileNumber, countryCode]"
Hi @Jose.Macias, Thanks for sharing all that additional info with me via PM. I've been told this issue has to be escalated to be further investigated. I will provide an update here, unless it requi... See more...
Hi @Jose.Macias, Thanks for sharing all that additional info with me via PM. I've been told this issue has to be escalated to be further investigated. I will provide an update here, unless it requires more sensitive info, if so, I will reach out via a PM again.
@apps_inpaytechI am seeing the same issue. Did you ever find a solution? I also tried using the new Add-On for Cloud Services, but that also has a different sourcetype with different fields so that w... See more...
@apps_inpaytechI am seeing the same issue. Did you ever find a solution? I also tried using the new Add-On for Cloud Services, but that also has a different sourcetype with different fields so that was no better.
Rather than $click.value$, try $click.name2$
Hi There's a documentation bug for 2.0.0 as the tenant_uid has to be specified now. The correct search would be: | makeresults | eval user="World", src="192.168.0.1", action="create test event" | ... See more...
Hi There's a documentation bug for 2.0.0 as the tenant_uid has to be specified now. The correct search would be: | makeresults | eval user="World", src="192.168.0.1", action="create test event" | sendalert create_alert param.title="Hello $result.user$" param.template=default param.tenant_uid=default  Hope this helps!  
Thankyou! This worked