All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Number of new users who have logged in per month as a running total to show a trend of new users over time.

by in Reporting
‎11-13-2023 01:56 PM
‎11-13-2023 01:56 PM
Hi,  I am running a monthly report to show (unique users) logged in to the system (API) each month until the current time.  . . . . .  earliest=@mon latest=now | stats dc(CN)    But I have diffi... See more...
Hi,  I am running a monthly report to show (unique users) logged in to the system (API) each month until the current time.  . . . . .  earliest=@mon latest=now | stats dc(CN)    But I have difficulty in calculating the the number of new users who have logged in per month as a running total to show a trend of new users over time.  The Query should run as following example:  If 50 distinct users log in in October and none of the 50 has logged in before, the total is 50. If 75 distinct users log in in November but 50 of them are the same that logged in in October, the number of new users is 25. Combined with the total for October, the total for November becomes 75.    

Re: Dashboard Studio : DataSource gets results. MultiSelect token used in Chain search. Spaces in DS result no go.

by in Splunk Search
‎11-13-2023 01:22 PM
‎11-13-2023 01:22 PM
I guess it's a Dashboard Studio issue ... Just updated from 8.2 to 9.1.1. I will try to see if that works.

Report that shows login failure events occurred on the previous day grouped by source user

by in Security
‎11-13-2023 11:19 AM
‎11-13-2023 11:19 AM
Hello, I need to generate the below report, can someone help please? thank you!!   format: .csv  List of events: authentication failure activity, user logon failure : bad password, user logon fail... See more...
Hello, I need to generate the below report, can someone help please? thank you!!   format: .csv  List of events: authentication failure activity, user logon failure : bad password, user logon failure: bad username, table with subset of fields: user, date/time, VendorMsgID, account, class, process name, object, subject, logMsg) grouped by user schedule: daily search window: -24 hours Expiration= 30 days
Labels

Recommendations for migrating from CentOS 7

by in Splunk Enterprise
‎11-13-2023 10:34 AM
‎11-13-2023 10:34 AM
Hi, we currently have our on prem Splunk infrastructure running on CentOS 7 servers.  CentOS 7 is going EOL in 2024.  We would like to migrate these servers to a supported Linux OS, preferably one wi... See more...
Hi, we currently have our on prem Splunk infrastructure running on CentOS 7 servers.  CentOS 7 is going EOL in 2024.  We would like to migrate these servers to a supported Linux OS, preferably one with long term support.  What do you recommend for this?  We are strongly considering RHEL 9.2.  Thank you!
Labels

Re: How to calculated individual fail time?

by SplunkTrust in Splunk Search
‎11-13-2023 09:46 AM
‎11-13-2023 09:46 AM
@gcusello's answer should give you the desired output.  Is it possible that some events come out of order?  You can use sort to make sure events are in perfect revere time order.   | sort - _time |... See more...
@gcusello's answer should give you the desired output.  Is it possible that some events come out of order?  You can use sort to make sure events are in perfect revere time order.   | sort - _time | transaction Item startswith="Result=fail" endswith="Result=success" | eval EndTime = _time + duration | fieldformat EndTime = strftime(EndTime, "%F %T") | fieldformat duration = tostring(duration, "duration") | fields Item _time EndTime duration   Here you can rename _time as StartTime if you wish, then format it for display.  For large number of events, sort can be expensive.  This is one of the costs of transaction when raw events are not perfectly in order. Here is an emulation you can play with and compare with raw data   | makeresults | eval data = split("02:00:00 Item=A Result=success 02:00:05 Item=B Result=success 02:05:00 Item=A Result=fail 02:05:05 Item=B Result=success 02:10:00 Item=A Result=fail 02:10:05 Item=B Result=success 02:15:00 Item=A Result=success 02:15:05 Item=B Result=fail 02:20:00 Item=A Result=success 02:20:05 Item=B Result=fail 02:25:00 Item=A Result=success 02:25:05 Item=B Result=success 02:30:00 Item=A Result=success 02:30:05 Item=B Result=success 02:35:00 Item=A Result=success 02:35:05 Item=B Result=success 02:40:00 Item=A Result=success 02:40:05 Item=B Result=fail 02:45:00 Item=A Result=success 02:45:05 Item=B Result=success 02:50:00 Item=A Result=success 02:50:05 Item=B Result=success 02:55:00 Item=A Result=success 02:55:05 Item=B Result=success", " ") | mvexpand data | rename data as _raw | rex "^(?<_time>\S+)" | eval _time = strptime(_time, "%H:%M:%S") | extract ``` data emulation above ```   Combining the two, I get Item _time EndTime duration _raw B 2023-11-13 02:40:05 2023-11-13 02:45:05 00:05:00 02:40:05 Item=B Result=fail 02:45:05 Item=B Result=success B 2023-11-13 02:20:05 2023-11-13 02:25:05 00:05:00 02:20:05 Item=B Result=fail 02:25:05 Item=B Result=success B 2023-11-13 02:15:05 2023-11-13 02:30:05 00:15:00 02:15:05 Item=B Result=fail 02:30:05 Item=B Result=success A 2023-11-13 02:10:00 2023-11-13 02:15:00 00:05:00 02:10:00 Item=A Result=fail 02:15:00 Item=A Result=success A 2023-11-13 02:05:00 2023-11-13 02:20:00 00:15:00 02:05:00 Item=A Result=fail 02:20:00 Item=A Result=success

Re: Unable to install PHP agent in Alpine

by Community Manager in Splunk AppDynamics
‎11-13-2023 09:30 AM
‎11-13-2023 09:30 AM
Hello @Aditya Kumar.Maddala, Please check out AppD Docs site for PHP Supported Environments.  https://docs.appdynamics.com/appd/22.x/latest/en/application-monitoring/install-app-server-agents/php... See more...
Hello @Aditya Kumar.Maddala, Please check out AppD Docs site for PHP Supported Environments.  https://docs.appdynamics.com/appd/22.x/latest/en/application-monitoring/install-app-server-agents/php-agent/php-supported-environments

Re: Is DB Connect Compatible With IPv6?

by SplunkTrust in Getting Data In
‎11-13-2023 09:10 AM
‎11-13-2023 09:10 AM
Splunk and its apps do not handle networking directly.  There is no reason why they will not do the job if the destination is addressable by the operating system's networking stack, IPv6 or IPv4.

Re: Values for sap_idoc_data table in Analytics

by Community Manager in Splunk AppDynamics
‎11-13-2023 09:08 AM
‎11-13-2023 09:08 AM
Hi @Yann.Buccellato, I heard back from the Docs team.  The field is formatted in SAP-specific type TIMS and the value is presented in HH:MI:SS format. The documentation pages will be updated afte... See more...
Hi @Yann.Buccellato, I heard back from the Docs team.  The field is formatted in SAP-specific type TIMS and the value is presented in HH:MI:SS format. The documentation pages will be updated after the upcoming 23.11.0 release to reflect this information. Does this help?

Re: help on Splunk alert recurrence

by SplunkTrust in Alerting
‎11-13-2023 08:35 AM
‎11-13-2023 08:35 AM
You haven't provided sufficient information for anyone to be able to determine why your search picked up events which you weren't expecting, or why you search failed to exclude these from your alert.... See more...
You haven't provided sufficient information for anyone to be able to determine why your search picked up events which you weren't expecting, or why you search failed to exclude these from your alert. It is like me asking you, why did my search fail?

Is DB Connect Compatible With IPv6?

by in Getting Data In
‎11-13-2023 08:32 AM
‎11-13-2023 08:32 AM
I haven't been able to find any documentation stating whether or not DB Connect is IPv6 compatible.  My customer has a requirement to migrate to IPv6 and I need to know if this app will still be able... See more...
I haven't been able to find any documentation stating whether or not DB Connect is IPv6 compatible.  My customer has a requirement to migrate to IPv6 and I need to know if this app will still be able pull data from an MS-SQL DB once the protocol changes.
Labels

Re: help on Splunk alert recurrence

by in Alerting
‎11-13-2023 08:29 AM
‎11-13-2023 08:29 AM
thanks for your answer even if it's not really easy to understand the data are approximatively indexed every 20 minutes so concerning my problem i dont understand why my last related event vs my al... See more...
thanks for your answer even if it's not really easy to understand the data are approximatively indexed every 20 minutes so concerning my problem i dont understand why my last related event vs my alert happened last Friday and why my alert has occurend once again today

Alert event

by in Alerting
‎11-13-2023 08:29 AM
‎11-13-2023 08:29 AM
Please help me on below things: Requirements: Once 3 events meets, immediately next event should published.if event is not published after 5 min ,need alert. Example : We have one customerno.for ... See more...
Please help me on below things: Requirements: Once 3 events meets, immediately next event should published.if event is not published after 5 min ,need alert. Example : We have one customerno.for the customer number ,I have to search whether 3 events meets logs available in the splunk log or not  Ex: index= 1 source type ="abc" "s1 event received" and "s2 event received" and "s3 event received"     When I search above query ,I will be getting like S1 received for 12345 customer S2 received for 12345 customer S3 received for 12345 customer   If for one customer,all 3 event are met,next i want to search "created" message available in the splunk for same customer (12345) Here "created" message index and source type is different If "created" message not available for 12345 customer no after 5 min once all 3 events meets,I need alert.pls help on this query.
Labels

Re: help on Splunk alert recurrence

by SplunkTrust in Alerting
‎11-13-2023 08:00 AM
‎11-13-2023 08:00 AM
Alerts have throttles but that's at the alert level, not at the event which have been looked at. As I said, it depends on your search and your data. For example, if you are searching over 25 hours, ... See more...
Alerts have throttles but that's at the alert level, not at the event which have been looked at. As I said, it depends on your search and your data. For example, if you are searching over 25 hours, every 24 hours, there will be an overlap of 1 hour. Having said that, it depends how quickly your data is indexed, real lag, and how far behind your timestamp field (_time) is to actual time, extended lag. In order to fashion a search which takes these factors into account, you need to understand your data, how it is indexed, when it is indexed, etc. When you know this, you might have a chance at eliminating events which you have (or may have) already looked at. Another way you might approach this is to copy the events you have looked at into a summary index and then ignore any events which are already in your summary index.

Re: Using a Lookup with wildcard to check on logging status

by in Splunk Search
‎11-13-2023 08:00 AM
‎11-13-2023 08:00 AM
Understood.  Thanks again!

Re: help on Splunk alert recurrence

by in Alerting
‎11-13-2023 07:53 AM
‎11-13-2023 07:53 AM
Have you an example to filter events that have already looked at? Is there any alert customization for doing that like throttle or expiration?

Re: help on Splunk alert recurrence

by SplunkTrust in Alerting
‎11-13-2023 07:51 AM
‎11-13-2023 07:51 AM
Your search has to be able to filter out the events you don't want, or have already looked at. This will depend on your search and your data.

Re: How to filter row if some fields are empty?

by SplunkTrust in Splunk Search
‎11-13-2023 07:46 AM
1 Karma
‎11-13-2023 07:46 AM
1 Karma
* doesn't work (as a wildcard) for where only search

help on Splunk alert recurrence

by in Alerting
‎11-13-2023 07:37 AM
‎11-13-2023 07:37 AM
Hi I use a splunk alert with a 24 hours slottime what is strange is that this alert show me an event older than 24 hours so I have 2 questiosn 1) How is it possible that an alert occurs with an e... See more...
Hi I use a splunk alert with a 24 hours slottime what is strange is that this alert show me an event older than 24 hours so I have 2 questiosn 1) How is it possible that an alert occurs with an event outside the slot time specified? 2) How to customize the alert for being sure that it shows only new events and not events already shown?  It means that I need the alert occurs just one time when an event is detected thanks

Re: How to filter row if some fields are empty?

by in Splunk Search
‎11-13-2023 07:28 AM
‎11-13-2023 07:28 AM
Hello, Thanks for your correction and your help. So this is what I am looking for:    | where (isnotnull(vuln) AND isnotnull(score) AND len(company)>0)) OR (isnotnull(vuln)) OR len(company>0)  An... See more...
Hello, Thanks for your correction and your help. So this is what I am looking for:    | where (isnotnull(vuln) AND isnotnull(score) AND len(company)>0)) OR (isnotnull(vuln)) OR len(company>0)  Any idea why * didn't work? It seems like "where" is faster than "search"  Thank you

Re: Using a Lookup with wildcard to check on logging status

by SplunkTrust in Splunk Search
‎11-13-2023 07:20 AM
1 Karma
‎11-13-2023 07:20 AM
1 Karma
Not so easy, because you have said your lookup contains wildcards, you could append the list of sources from your lookup and count the occurrences, but you might get false positives/negatives where y... See more...
Not so easy, because you have said your lookup contains wildcards, you could append the list of sources from your lookup and count the occurrences, but you might get false positives/negatives where you found a source which matched the wildcard | append [| inputlookup pvs_source_list | table source] | stats count by source | where count < 2