All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@richgalloway  thanks!  that might be working...  how do I include count of zero when there are no matches?  like, app_name  error_count app1              0 app2              0 app3           ... See more...
@richgalloway  thanks!  that might be working...  how do I include count of zero when there are no matches?  like, app_name  error_count app1              0 app2              0 app3              5 app4              0 app5              233
I just want to pose a quick question about the Microsoft API URLs that are used in the add-on.  At what point will the add-on be updated to reflect the new URL changes?  I had a conversation with a M... See more...
I just want to pose a quick question about the Microsoft API URLs that are used in the add-on.  At what point will the add-on be updated to reflect the new URL changes?  I had a conversation with a Microsoft engineer, and he mentioned that the following URLs may not work past Dec 31 2024:    API_ADVANCED_HUNTING = "/api/advancedhunting/run" API_ALERTS = "/api/alerts" API_INCIDENTS = "/api/incidents This link shows the difference between some of the old vs new urls :  Use the Microsoft Graph security API - Microsoft Graph v1.0 | Microsoft Learn I know it's a while off.  However, it comes quick at times.  Just trying to understand the process so I can stay ahead of it.  Also, I have seen add-ons that have the option for legacy inputs and also for current.  It would be great to have an option like that before the URL switch for this add-on.
Have you tried setting a new field that defines the app and then grouping on that field? | eval appType = case(SourceName="Foo \"bar(\"", "app 1", SourceName="Foo \"quill(\"", "app 2", SourceNam... See more...
Have you tried setting a new field that defines the app and then grouping on that field? | eval appType = case(SourceName="Foo \"bar(\"", "app 1", SourceName="Foo \"quill(\"", "app 2", SourceName="Foo", "app 3", source=abcde, "app 4", sourcetype=windows AND eventcode=11111, "app 5", 1==1, "other") | stats count by appType
Again, the cs2 field can contain either a user name or a group name.  Users and groups have very similar naming conventions so I don't see how Splunk can correctly determine if a given cs2 value is a... See more...
Again, the cs2 field can contain either a user name or a group name.  Users and groups have very similar naming conventions so I don't see how Splunk can correctly determine if a given cs2 value is a user or a group. Unless, that is, assumptions can be made about user or group names.  For example, if a group name always begins with "Secret Server". | eval group = if(match(cs2, "^Secret Server"), cs2, null()) | eval user = if(match(cs2, "^Secret Server"), null(), cs2)
USE_LOCAL_SYSTEM Install the universal forwarder as a local system 0   The default flag on install is 0 - update the install line to flag this set to 1. This is no longer best practice for... See more...
USE_LOCAL_SYSTEM Install the universal forwarder as a local system 0   The default flag on install is 0 - update the install line to flag this set to 1. This is no longer best practice for security so be prepared to update future installs to fit with best practices.
Hi @richgalloway , The user naming convention look like firstname last name eg:  samuel raj , jhony walker etc. This should be in the user field and  group naming convention look like Secret Server ... See more...
Hi @richgalloway , The user naming convention look like firstname last name eg:  samuel raj , jhony walker etc. This should be in the user field and  group naming convention look like Secret Server Linux Server , Secret Server Windows Server etc. and this should be in the group fields, how we can achieve? Thanks..                                                                      
Hi, We currently have events where identifying the app that makes the event depends multiple fields, as well as substrings in within those fields.  For example, app 1 is identified by SourceName=... See more...
Hi, We currently have events where identifying the app that makes the event depends multiple fields, as well as substrings in within those fields.  For example, app 1 is identified by SourceName=Foo "bar(" app 2 is identified by SourceName=Foo "quill(" app 3 is identified by SourceName=Foo app 4 is identified by source=abcde app 5 is identified by sourcetype=windows eventcode=11111 I would like to count the number of errors per app, but not having luck yet.  I've tried regexes & an eval case match pattern, & I can't seem to google the correct words to find a similar scenario in others' posts. Please help.  Thanks, Orion
Hi, I need to know the steps and understnading on how to configure LDAP authentication via GUI which is available here: Settings- Authentication methods- LDAP If anyone can share the understanding ... See more...
Hi, I need to know the steps and understnading on how to configure LDAP authentication via GUI which is available here: Settings- Authentication methods- LDAP If anyone can share the understanding and exact steps, that will be helpful. Thanks
Hi Team, I want to get DB top 10 query wait states in AppD dashboard. Kindly suggest.
Have you checked out the free "Getting Data into Splunk" course at https://education-internal.splunk.com/Saba/Web_spf/NA10P2PRD105/guestapp/shared;spf-url=guest%2Fcategorydetail%2Fcateg00000000000304... See more...
Have you checked out the free "Getting Data into Splunk" course at https://education-internal.splunk.com/Saba/Web_spf/NA10P2PRD105/guestapp/shared;spf-url=guest%2Fcategorydetail%2Fcateg000000000003041? You should be able to ingest the specified files by adding the following to an inputs.conf file on the appropriate server.  You will also need Splunk Enterprise or Splunk Universal Forwarder on the same server. [monitor:///app/docker/en*/logs] index = foo sourcetype = bar
Hi ! I am facing an issue adding a new field in the ES identity kv store. After adding a new field automatic lookup doesn't work and never returns my new field in my events, but I can manually retri... See more...
Hi ! I am facing an issue adding a new field in the ES identity kv store. After adding a new field automatic lookup doesn't work and never returns my new field in my events, but I can manually retrieve it with this query :       | inputlookup ES_identity_kvstore       while that one :       index=my_index | lookup ES_identity_kvstore...       throws me an error :       [comma separated list of my indexers] phase_0 - Streamed search execute failed because: Error in 'lookup' command: Cannot find the destination field 'my_new_field' in the lookup table 'ES_identity_kvstore'..       still, with this following query forcing the SH to run the lookup I can retrieve my new field :       index=my_index | lookup local=true ES_identity_kvstore...       collections.conf (with replicate=true) and props.conf are correctly updated on the SH so I think I am maybe missing something on my indexers configuration but can not figure out what it is...  Do you have any idea ? Thanks !
Which specific file or folder inside Splunk root folder we can map with IIS which can pick the web files or binaries/distributable that can be rendered on the browser?
When trying to make a connection with the dbconnect app using the "MS-SQL Server Using MS Generic Driver" drive, it is giving an error and requesting port 6666, but in the connection  string I use po... See more...
When trying to make a connection with the dbconnect app using the "MS-SQL Server Using MS Generic Driver" drive, it is giving an error and requesting port 6666, but in the connection  string I use port 1433. Does anyone know why this change is happening and how? How do I solve this? Note: already has a firewall rule created for port 1433 Connection String jdbc:sqlserver://myhost.database.windows.net:1433;databaseName=mydb;selectMethod=cursor;encrypt=false Error: Connection failure reason: The TCP/IP connection to the host myhost.database.windows.net, port 6666 has failed. Error: "connect timed out. Verify the connection properties. Make sure that an instance of SQL Server is running on the host and accepting TCP/IP connections at the port. Make sure that TCP connections to the port are not blocked by a firewall.". Diagnosis: Either the database is unavailable, or the specified host/port is incorrect, or you are blocked by a firewall Troubleshooting recommendation: Make sure the database is running on the server and you or the database are not blocked by a firewall.  
Have you checked Splunkbase?  There is an app there (https://splunkbase.splunk.com/app/6096) that will send events to BMC Helix, but it doesn't say what BMC does with that event.  Perhaps your BMC co... See more...
Have you checked Splunkbase?  There is an app there (https://splunkbase.splunk.com/app/6096) that will send events to BMC Helix, but it doesn't say what BMC does with that event.  Perhaps your BMC contact can offer more information.
Hi ! I am facing a very similar issue : after adding a new field to my KV store automatic lookup doesn't work and never returns my new field in my events but I can manually retrieve it with this que... See more...
Hi ! I am facing a very similar issue : after adding a new field to my KV store automatic lookup doesn't work and never returns my new field in my events but I can manually retrieve it with this query : | inputlookup my_kvstore but that one : index=my_index | lookup my_kvstore... throws an error : [comma separated of my indexers list] phase_0 - Streamed search execute failed because: Error in 'lookup' command: Cannot find the destination field 'my_new_field' in the lookup table 'my_kvstore'.. still, with this query : index=my_index | lookup local=true my_kvstore... I can retrieve my new field... Regards,  
| stats values(Skills) as Skills count(eval(TrainingCompleted=="Yes")) as TrainingCompleted count as "Team Appearance" by TeamName EmploymentType | eval Skills=mvjoin(Skills,",") | eval "TrainingComp... See more...
| stats values(Skills) as Skills count(eval(TrainingCompleted=="Yes")) as TrainingCompleted count as "Team Appearance" by TeamName EmploymentType | eval Skills=mvjoin(Skills,",") | eval "TrainingCompleted%"=round(100*TrainingCompleted/'Team Appearance',0)."%"
I have a source file with comma separated fields, I have to create a table where I need combine and show statistics of different products. Data file fields - TeamName,EmploymentType,Skills,TrainingC... See more...
I have a source file with comma separated fields, I have to create a table where I need combine and show statistics of different products. Data file fields - TeamName,EmploymentType,Skills,TrainingCompleted Source File data: TeamA,Contract,Java,Yes TeamA,Contract,DotNet,No TeamA,Contract,C++,Yes TeamA,Contract,ReactJS,No TeamB,Permanent,Java,Yes TeamB,Permanent,DotNet,No TeamB,Permanent,C++,Yes TeamB,Permanent,ReactJS,No TeamC,Contract,Java,Yes TeamC,Contract,DotNet,No TeamC,Contract,C++,Yes TeamC,Contract,ReactJS,No TeamD,Permanent,Java,Yes TeamD,Permanent,DotNet,No TeamD,Permanent,C,Yes TeamD,Permanent,ReactJS,No TeamE,Contract,Java,Yes TeamE,Contract,DotNet,No TeamE,Contract,Java,Yes Now the requirement is to create a table view of source file with below columns: TeamName EmploymentType Skills TrainingCompleted Team Appearance Training Completion% TeamA Contract Java,DotNet,ReactJS,C++ 2 4 50% TeamB Permanent Java,DotNet,ReactJS,C++ 2 4 50% TeamC Contract Java,DotNet,ReactJS,C++ 2 4 50% TeamD Permanent Java,DotNet,ReactJS,C 2 4 50% TeamE Contract Java,Dotnet 2 3 67%   Please give me the exact query. I am beginner in Splunk. 
The match function expects a regex string as the second parameter. In regex "*" is a modifier meaning zero or more of the previous match item. If "*" appears at the beginning of the regex expression,... See more...
The match function expects a regex string as the second parameter. In regex "*" is a modifier meaning zero or more of the previous match item. If "*" appears at the beginning of the regex expression, there is no previous match item, hence the error.
Hi Team Getting this error message frequently in internal logs of Splunk. Error in 'where' command: The expression is malformed. An unexpected character is reached at '*) OR match(indicator, *_... See more...
Hi Team Getting this error message frequently in internal logs of Splunk. Error in 'where' command: The expression is malformed. An unexpected character is reached at '*) OR match(indicator, *_ip) OR match(indicator, *_host)) Any hints will be appreciated. Thanks in advance  
Hi at all, I found that the information in my Monitoring Console (Splunk version 9.1.1) about Replication Factor is wrong, is there anyone that experienced the same thing: in [Monitoring Console > ... See more...
Hi at all, I found that the information in my Monitoring Console (Splunk version 9.1.1) about Replication Factor is wrong, is there anyone that experienced the same thing: in [Monitoring Console > Overview of Splunk Enterprise 9.1.1] is displayed Replication Factor = 3 but I configured Replication Factor =2 (it's a multisite, so origin=1, total=2). Is it maybe the Search Head Cluster Replication Factor (that's 3) or simply a displ? Thank you for your advice. Ciao. Giuseppe