All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

All Posts

Re: grouping count by multiple field substrings

by SplunkTrust in Splunk Search
‎11-09-2023 06:44 AM
‎11-09-2023 06:44 AM
Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it. https://www.duanewaddle.com/proving-a-negative/ If the set of apps is small enough... See more...
Finding something that is not there is not Splunk's strong suit.  See this blog entry for a good write-up on it. https://www.duanewaddle.com/proving-a-negative/ If the set of apps is small enough, you may be able to append a static set of zero counts and then add them to what Splunk produces. <<current query>> | append [ makeresults format=csv data="app_name,error_count app1,0 app2,0 app3,0 app4,0 app5,0"] | stats sum(error_count) as error_count by app_name

Re: SC4S to Splunk Cloud forwarding receiving errors?

by in Splunk Cloud Platform
‎11-09-2023 06:40 AM
‎11-09-2023 06:40 AM
No replies, having same issue here.  It's something we messed up or isn't documented, just trying to figure out what.

Re: Configuring LDAP authentication from Splunk UI

by SplunkTrust in Splunk Enterprise
‎11-09-2023 06:40 AM
‎11-09-2023 06:40 AM
Have you read the docs at https://docs.splunk.com/Documentation/Splunk/9.1.1/Security/SetupuserauthenticationwithLDAP ?  What questions about the steps described there can we help answer?

Re: Rex table format

by in Dashboards & Visualizations
‎11-09-2023 06:35 AM
‎11-09-2023 06:35 AM
continue... Hi @ITWhisperer The query used to get the above three table format       1st query: index= source IN ("") "uniqObjectIds" OR "data retrieved for Ids" | eval PST=_time-28800 | eva... See more...
continue... Hi @ITWhisperer The query used to get the above three table format       1st query: index= source IN ("") "uniqObjectIds" OR "data retrieved for Ids" | eval PST=_time-28800 | eval PST_TIME=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=uniqObjectIds path=uniqObjectIds{} |where isnotnull(uniqObjectIds) | spath output=uniqueRetrievedIds path=uniqueRetrievedIds{}| stats values(*) as * by _raw | table uniqObjectIds,uniqObjectIdsCount,uniqObjectIds{},PST_TIME | sort- PST_TIME 2nd query" index= source IN ("") "data retrieved for Ids"| eval PST=_time-28800 | eval PST_TIME=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=uniqueRetrievedIds path=uniqueRetrievedIds{} |where isnotnull(uniqueRetrievedIds)| stats values(*) as * by _raw | table uniqueRetrievedIds{},uniqueRetrievedIds, PST_TIME | sort- PST_TIME 3rd query: index= source IN ("") "data not found for Ids"| eval PST=_time-28800 | eval PST_TIME=strftime(PST, "%Y-%d-%m %H:%M:%S") | spath output=dataNotFoundIds path=dataNotFoundIds{}|where isnotnull(dataNotFoundIds) | stats values(*) as * by _raw | table dataNotFoundIds{},dataNotFoundIdsCount, PST_TIME | sort- PST_TIME       Could you help

Re: Rex table format

by in Dashboards & Visualizations
‎11-09-2023 06:32 AM
‎11-09-2023 06:32 AM
Hi @ITWhisperer  Thank for your reply and suggestions.Really appreciate ! Now I have added a log in all the below  raw event which will have "entity":"suppliedMaterial"     {"name":"","awsReques... See more...
Hi @ITWhisperer  Thank for your reply and suggestions.Really appreciate ! Now I have added a log in all the below  raw event which will have "entity":"suppliedMaterial"     {"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"supportType":"reprocess","entity":"suppliedMaterial","uniqObjectIds":["122598","268817","88888888888","99999999999999999","abc"],"uniqObjectIdsCount":5,"msg":"unique objectIds","time":"2023-11-09T13:56:36.559Z","v":0} 2nd event {"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"supportType":"reprocess","entity":"suppliedMaterial","uniqueRetrievedIds":[],"msg":"data retrieved for Ids","time":"2023-11-09T13:56:36.749Z","v":0} 3rd event {"name":"","awsRequestId":"","hostname":"","pid":8,"level":30,"supportType":"reprocess","entity":"suppliedMaterial","dataNotFoundIds":["122598","268817","88888888888","99999999999999999","abc"],"dataNotFoundIdsCount":5,"msg":"data not found for Ids","time":"2023-11-09T13:56:36.749Z","v":0}     Currently i have three query which fetch the result from _raw in below table format  Expected.I want all three different table combined and show their result   based on common key value entity: "suppliedMaterial" from raw events .   uniqObjectIds uniqObjectIdsCount uniqObjectIds{} PST_TIME 122598 268817 88888888888 99999999999999999 abc 5 122598 268817 88888888888 99999999999999999 abc 2023-08-11 06:38:01 122598 268817 88888888888 99999999999999999 abcdefg 5 122598 268817 88888888888 99999999999999999 abcdefg 2023-08-11 06:37:44 122598 268817 88888888888 99999999999999999 abcdefg 5 122598 268817 88888888888 99999999999999999 abcdefg 2023-08-11 06:35:40 122598 268817 88888888888 99999999999999999 abcdefg 5 122598 268817 88888888888 99999999999999999 abcdefg 2023-08-11 06:33:14 uniqueRetrievedIds{} uniqueRetrievedIds PST_TIME 122598 268817 122598 268817 2023-08-11 06:38:01 122598 268817 122598 268817 2023-08-11 06:37:44 122598 268817 122598 268817 2023-08-11 06:35:40 122598 268817 122598 268817 2023-08-11 06:33:14 122598 268817 122598 268817 2023-08-11 03:28:56 275649 275649 2023-06-11 06:49:10 275649 275649 2023-03-11 04:28:36 275649 275649 2023-03-11 03:13:07 108795 108795 2023-03-11 03:09:07 108795 275649 108795 275649 2023-02-11 14:44:04 dataNotFoundIds{} dataNotFoundIdsCount PST_TIME 88888888888 99999999999999999 abc 3 2023-08-11 06:38:01 88888888888 99999999999999999 abcdefg 3 2023-08-11 06:37:44 88888888888 99999999999999999 abcdefg 3 2023-08-11 06:35:40 88888888888 99999999999999999 abcdefg 3    

Re: How do we Parse logs of Secret Server in Splunk Cloud

by in Getting Data In
‎11-09-2023 06:30 AM
‎11-09-2023 06:30 AM
@richgalloway , How we can exclude these cs2,Cs2label fields using the sed command in props. Thanks.

Re: grouping count by multiple field substrings

by in Splunk Search
‎11-09-2023 06:01 AM
‎11-09-2023 06:01 AM
@richgalloway  thanks!  that might be working...  how do I include count of zero when there are no matches?  like, app_name  error_count app1              0 app2              0 app3           ... See more...
@richgalloway  thanks!  that might be working...  how do I include count of zero when there are no matches?  like, app_name  error_count app1              0 app2              0 app3              5 app4              0 app5              233

Splunk Add-on for Microsoft Security and Microsoft URLs

by in All Apps and Add-ons
‎11-09-2023 06:01 AM
‎11-09-2023 06:01 AM
I just want to pose a quick question about the Microsoft API URLs that are used in the add-on.  At what point will the add-on be updated to reflect the new URL changes?  I had a conversation with a M... See more...
I just want to pose a quick question about the Microsoft API URLs that are used in the add-on.  At what point will the add-on be updated to reflect the new URL changes?  I had a conversation with a Microsoft engineer, and he mentioned that the following URLs may not work past Dec 31 2024:    API_ADVANCED_HUNTING = "/api/advancedhunting/run" API_ALERTS = "/api/alerts" API_INCIDENTS = "/api/incidents This link shows the difference between some of the old vs new urls :  Use the Microsoft Graph security API - Microsoft Graph v1.0 | Microsoft Learn I know it's a while off.  However, it comes quick at times.  Just trying to understand the process so I can stay ahead of it.  Also, I have seen add-ons that have the option for legacy inputs and also for current.  It would be great to have an option like that before the URL switch for this add-on.

Re: grouping count by multiple field substrings

by SplunkTrust in Splunk Search
‎11-09-2023 05:56 AM
1 Karma
‎11-09-2023 05:56 AM
1 Karma
Have you tried setting a new field that defines the app and then grouping on that field? | eval appType = case(SourceName="Foo \"bar(\"", "app 1", SourceName="Foo \"quill(\"", "app 2", SourceNam... See more...
Have you tried setting a new field that defines the app and then grouping on that field? | eval appType = case(SourceName="Foo \"bar(\"", "app 1", SourceName="Foo \"quill(\"", "app 2", SourceName="Foo", "app 3", source=abcde, "app 4", sourcetype=windows AND eventcode=11111, "app 5", 1==1, "other") | stats count by appType

Re: How do we Parse logs of Secret Server in Splunk Cloud

by SplunkTrust in Getting Data In
‎11-09-2023 05:51 AM
1 Karma
‎11-09-2023 05:51 AM
1 Karma
Again, the cs2 field can contain either a user name or a group name.  Users and groups have very similar naming conventions so I don't see how Splunk can correctly determine if a given cs2 value is a... See more...
Again, the cs2 field can contain either a user name or a group name.  Users and groups have very similar naming conventions so I don't see how Splunk can correctly determine if a given cs2 value is a user or a group. Unless, that is, assumptions can be made about user or group names.  For example, if a group name always begins with "Secret Server". | eval group = if(match(cs2, "^Secret Server"), cs2, null()) | eval user = if(match(cs2, "^Secret Server"), null(), cs2)

Re: Installing Splunk 9.1.1.0 as a Local Admin on Windows OS using Ansible Playbook

by in Getting Data In
‎11-09-2023 05:45 AM
‎11-09-2023 05:45 AM
USE_LOCAL_SYSTEM Install the universal forwarder as a local system 0   The default flag on install is 0 - update the install line to flag this set to 1. This is no longer best practice for... See more...
USE_LOCAL_SYSTEM Install the universal forwarder as a local system 0   The default flag on install is 0 - update the install line to flag this set to 1. This is no longer best practice for security so be prepared to update future installs to fit with best practices.

Re: How do we Parse logs of Secret Server in Splunk Cloud

by in Getting Data In
‎11-09-2023 05:44 AM
‎11-09-2023 05:44 AM
Hi @richgalloway , The user naming convention look like firstname last name eg:  samuel raj , jhony walker etc. This should be in the user field and  group naming convention look like Secret Server ... See more...
Hi @richgalloway , The user naming convention look like firstname last name eg:  samuel raj , jhony walker etc. This should be in the user field and  group naming convention look like Secret Server Linux Server , Secret Server Windows Server etc. and this should be in the group fields, how we can achieve? Thanks..                                                                      

grouping count by multiple field substrings

by in Splunk Search
‎11-09-2023 05:39 AM
‎11-09-2023 05:39 AM
Hi, We currently have events where identifying the app that makes the event depends multiple fields, as well as substrings in within those fields.  For example, app 1 is identified by SourceName=... See more...
Hi, We currently have events where identifying the app that makes the event depends multiple fields, as well as substrings in within those fields.  For example, app 1 is identified by SourceName=Foo "bar(" app 2 is identified by SourceName=Foo "quill(" app 3 is identified by SourceName=Foo app 4 is identified by source=abcde app 5 is identified by sourcetype=windows eventcode=11111 I would like to count the number of errors per app, but not having luck yet.  I've tried regexes & an eval case match pattern, & I can't seem to google the correct words to find a similar scenario in others' posts. Please help.  Thanks, Orion
Labels

Configuring LDAP authentication from Splunk UI

by in Splunk Enterprise
‎11-09-2023 05:35 AM
‎11-09-2023 05:35 AM
Hi, I need to know the steps and understnading on how to configure LDAP authentication via GUI which is available here: Settings- Authentication methods- LDAP If anyone can share the understanding ... See more...
Hi, I need to know the steps and understnading on how to configure LDAP authentication via GUI which is available here: Settings- Authentication methods- LDAP If anyone can share the understanding and exact steps, that will be helpful. Thanks

How to get DB top 10 query wait states in AppD dashboard.

by in Splunk AppDynamics
‎11-09-2023 05:24 AM
‎11-09-2023 05:24 AM
Hi Team, I want to get DB top 10 query wait states in AppD dashboard. Kindly suggest.
Labels

Re: source the below logs in to Splunk

by SplunkTrust in Dashboards & Visualizations
‎11-09-2023 05:16 AM
‎11-09-2023 05:16 AM
Have you checked out the free "Getting Data into Splunk" course at https://education-internal.splunk.com/Saba/Web_spf/NA10P2PRD105/guestapp/shared;spf-url=guest%2Fcategorydetail%2Fcateg00000000000304... See more...
Have you checked out the free "Getting Data into Splunk" course at https://education-internal.splunk.com/Saba/Web_spf/NA10P2PRD105/guestapp/shared;spf-url=guest%2Fcategorydetail%2Fcateg000000000003041? You should be able to ingest the specified files by adding the following to an inputs.conf file on the appropriate server.  You will also need Splunk Enterprise or Splunk Universal Forwarder on the same server. [monitor:///app/docker/en*/logs] index = foo sourcetype = bar

identity automatic lookup does not work

by in Knowledge Management
‎11-09-2023 05:12 AM
‎11-09-2023 05:12 AM
Hi ! I am facing an issue adding a new field in the ES identity kv store. After adding a new field automatic lookup doesn't work and never returns my new field in my events, but I can manually retri... See more...
Hi ! I am facing an issue adding a new field in the ES identity kv store. After adding a new field automatic lookup doesn't work and never returns my new field in my events, but I can manually retrieve it with this query :       | inputlookup ES_identity_kvstore       while that one :       index=my_index | lookup ES_identity_kvstore...       throws me an error :       [comma separated list of my indexers] phase_0 - Streamed search execute failed because: Error in 'lookup' command: Cannot find the destination field 'my_new_field' in the lookup table 'ES_identity_kvstore'..       still, with this following query forcing the SH to run the lookup I can retrieve my new field :       index=my_index | lookup local=true ES_identity_kvstore...       collections.conf (with replicate=true) and props.conf are correctly updated on the SH so I think I am maybe missing something on my indexers configuration but can not figure out what it is...  Do you have any idea ? Thanks !
Labels

Splunk Setup With IIS On Windows

by in Splunk Enterprise
‎11-09-2023 05:07 AM
‎11-09-2023 05:07 AM
Which specific file or folder inside Splunk root folder we can map with IIS which can pick the web files or binaries/distributable that can be rendered on the browser?
Labels

Error dbconnect app using the "MS-SQL Server Using MS Generic Driver" - Port 6666

by in Splunk Enterprise
‎11-09-2023 05:01 AM
‎11-09-2023 05:01 AM
When trying to make a connection with the dbconnect app using the "MS-SQL Server Using MS Generic Driver" drive, it is giving an error and requesting port 6666, but in the connection  string I use po... See more...
When trying to make a connection with the dbconnect app using the "MS-SQL Server Using MS Generic Driver" drive, it is giving an error and requesting port 6666, but in the connection  string I use port 1433. Does anyone know why this change is happening and how? How do I solve this? Note: already has a firewall rule created for port 1433 Connection String jdbc:sqlserver://myhost.database.windows.net:1433;databaseName=mydb;selectMethod=cursor;encrypt=false Error: Connection failure reason: The TCP/IP connection to the host myhost.database.windows.net, port 6666 has failed. Error: "connect timed out. Verify the connection properties. Make sure that an instance of SQL Server is running on the host and accepting TCP/IP connections at the port. Make sure that TCP connections to the port are not blocked by a firewall.". Diagnosis: Either the database is unavailable, or the specified host/port is incorrect, or you are blocked by a firewall Troubleshooting recommendation: Make sure the database is running on the server and you or the database are not blocked by a firewall.  
Labels

Re: Splunk Integration with BMC Helix

by SplunkTrust in Splunk Enterprise
‎11-09-2023 04:59 AM
1 Karma
‎11-09-2023 04:59 AM
1 Karma
Have you checked Splunkbase?  There is an app there (https://splunkbase.splunk.com/app/6096) that will send events to BMC Helix, but it doesn't say what BMC does with that event.  Perhaps your BMC co... See more...
Have you checked Splunkbase?  There is an app there (https://splunkbase.splunk.com/app/6096) that will send events to BMC Helix, but it doesn't say what BMC does with that event.  Perhaps your BMC contact can offer more information.