All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

I have a fairly hefty search that are looking for potential brute-force attempts in my network. I have verified that the search works and results in a table with the following fields: end_time r... See more...
I have a fairly hefty search that are looking for potential brute-force attempts in my network. I have verified that the search works and results in a table with the following fields: end_time reason signature src start_time user title   This is completely as I would expect. However, when I try to push the reason into my notable description using $reason$ the resulting notables simple has the word "Success" in their description. I know for a fact that every hit on the search has a fairly descriptive reason, which I can see when I perform the search manually. Pushing the title to the title of the notable works without any problems, even though both appears to be multi value fields, and there should be no difference between them. I have no idea where to start looking for a solution for this.
Hello, There are several tokens on which already panels are dependent and i believe adding token again for dummy at panel level will again cause issues when other tokes are set.  If you have sample... See more...
Hello, There are several tokens on which already panels are dependent and i believe adding token again for dummy at panel level will again cause issues when other tokes are set.  If you have sample code with Panels with button etc..Will be of great help
I ran the following query, and this appears to work (unless its actually not??)  Your hunch is correct: That search actually does not do what you wanted because dest_ip!=address will always be... See more...
I ran the following query, and this appears to work (unless its actually not??)  Your hunch is correct: That search actually does not do what you wanted because dest_ip!=address will always be true. First things first, I assume that lookup1 has MATCH_TYPE=CIDR(ip_address) given that your search has apparent success.  As a side: as @ITWhisperer points out, the ip_address column is already in CIDR notation.  The other column (CIDR) conveys no information for this purpose.  I can't think of any use case where such a column will be useful. CIDR, ip_address 24, 1.2.3.4/24 23, 5.6.7.8/23 I wanted events with source ips that match the ip addresses in the lookup table with destination ips that do not match the ip addresses in the lookup table.  The second half of the statement is imprecise.  Do you mean you want dest_ip that does not match the very IP range that includes src_ip in the exact same event, or do you mean you want dest_ip that does not match any IP range in the lookup table?  If former, use a modified search from @bowesmana's answer: index="index1" | lookup lookup1 ip_address as src_ip OUTPUT ip_address as address | where isnotnull(address) AND cidrmatch(address, dest_ip) If the latter, you can use index="index1" | lookup lookup1 ip_address as src_ip OUTPUT ip_address as src_match | where isnotnull(src_match) | lookup lookup1 ip_address as dest_ip OUTPUT ip_address as dest_match | where isnull(dest_match) But your statement can have a million other interpretations.  Unless you can be specific, none of these will work for you.
HI ITWhisperer, I have used the statement you gave and it works well and have used it to get the gap between the days as i wish to use this in an average |eval reltimeearl = if(isnum(1698796800... See more...
HI ITWhisperer, I have used the statement you gave and it works well and have used it to get the gap between the days as i wish to use this in an average |eval reltimeearl = if(isnum(1698796800),1698796800,relative_time(now(),"1698796800")) |eval reltimelate = if(isnum(1699056000),1699056000,if("1699056000"=="now",now(),relative_time(now(),"1699056000"))) | where sTime>reltimeearl AND sTime<=reltimelate |eval relgap=(tonumber(reltimelate-reltimeearl)/86400) | stats sum(Percentage_Rec) as Rec1 by description key | eval Av_Rec=(Rec1/relgap) | table description Rec1    This does not work as the relgap is not processed. Looking at the fields when in Verbose mode - i can see a count against this value. As a test i did dedup relgap so the count=1. However this still does not pass to the eval statement. Can you see why?  just using a value of 3 works...   eval Av_Rec=(Rec1/3)
hello, In  this case how do i make sure the panels wait for submit button as as now the moment i select any values in drop down panels start loading? Thanks
You could try something like this (untested): Include a dummy eval in all your panel searches | eval _dummy=$dummy$ | fields - _dummy Then, when your refresh button is pressed, assign a new value ... See more...
You could try something like this (untested): Include a dummy eval in all your panel searches | eval _dummy=$dummy$ | fields - _dummy Then, when your refresh button is pressed, assign a new value to the token, perhaps something like this: <eval token="dummy">time()</eval>  The idea being that the searches will rerun when there is a change.
Please share your dashboard source code in a code block
the problem is the moment i select any of the value from drop down dependent panels load without waiting for Submit button. This is not accurate.  In fact, the panel appears the moment any val... See more...
the problem is the moment i select any of the value from drop down dependent panels load without waiting for Submit button. This is not accurate.  In fact, the panel appears the moment any value is selected.  This is expected.  But any search that depends on an input requiring submit will not execute until you submit. You can observe this using the following play dashboard:     <form version="1.1" theme="light"> <label>Test searchWhenChanged</label> <description>https://community.splunk.com/t5/Splunk-Search/Panel-loading-without-submit-button/m-p/667821#M229124</description> <init> <set token="loadsummary">go</set> </init> <fieldset submitButton="true" autoRun="false"> <input token="field1" type="time" searchWhenChanged="false"> <label>Time Picker</label> <default> <earliest>-15m</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="subsummary" depends="$loadsummary$" searchWhenChanged="false"> <label>Summary Selection</label> <choice value="FUNC">Function Summary</choice> <choice value="MQ">MQ Summary</choice> <change> <condition value="FUNC"> <set token="funcsummary">true</set> <unset token="funcsummaryMQ"></unset> </condition> <condition value="MQ"> <set token="funcsummaryMQ">true</set> <unset token="funcsummary"></unset> </condition> </change> </input> </fieldset> <row> <panel> <title>Show me funcsummary: $funcsummary$</title> <table> <search> <query>| makeresults | eval funcsummary = "$funcsummary$" </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> </table> </panel> <panel> <title>Show me funcsummaryMQ: $funcsummaryMQ$</title> <table> <search> <query>| makeresults | eval funcsummaryMQ = "$funcsummaryMQ$"</query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <option name="drilldown">none</option> <option name="refresh.display">progressbar</option> </table> </panel> <panel depends="$funcsummaryMQ$"> <title>ABC</title> <table> <search> <query>index=_internal</query> <earliest>$field1.earliest$</earliest> <latest>$field1.latest$</latest> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> </table> </panel> </row> </form>     The above is true unless a search doesn't even use any input that requires submit - as is the case with your sample panel.  Logically submit must not affect any such search. The attribute searchWhenChanged in an <input/> only controls <search/>, and is only useful when a particular <search/> utilizes that specific <input searchWhenChanged="false"/>.  It has no effect on <row/> and <panel/>'s depends attribute.  
Good morning community, I'm currently ingesting a volume of data inside an analytics schema. I'm interest in specific dynamic when some of the results are in failed status: Is it possible to a... See more...
Good morning community, I'm currently ingesting a volume of data inside an analytics schema. I'm interest in specific dynamic when some of the results are in failed status: Is it possible to alert from AppDynamics when single results are failing and transform the problem into a payload? For an example : when I do have one row with status failed, generate an alert with the following message: The message <take the value from the analytics MessageGuID> has status <take the value from the analytics  Status> with Exception < value from the analytics Exception> Thank for any feedback and experience shared, regards
Hi, Thanks.  I have installed the image but it looks some difficult to use it.  Is it possible to get manual or description how to use it?  Rgds Geir
Hello, I have below code for a dropdown menu and the problem is the moment i select any of the value from drop down dependent panels load without waiting for Submit button. How can this be fixed. S... See more...
Hello, I have below code for a dropdown menu and the problem is the moment i select any of the value from drop down dependent panels load without waiting for Submit button. How can this be fixed. Submit Button code: <fieldset submitButton="true" autoRun="false"> <input token="field1" type="time" searchWhenChanged="false"> <label>Time Picker</label> <default> <earliest>-15m</earliest> <latest>now</latest> </default> </input> Dropdown and Token <input type="dropdown" token="subsummary" depends="$loadsummary$" searchWhenChanged="false"> <label>Summary Selection</label> <choice value="FUNC">Function Summary</choice> <choice value="MQ">MQ Summary</choice> <change> <condition value="FUNC"> <set token="funcsummary">true</set> <unset token="funcsummaryMQ"></unset> </condition> <condition value="MQ"> <set token="funcsummaryMQ">true</set> <unset token="funcsummary"></unset> </condition> </change>   Sample Panel: <row depends="$funcsummaryMQ$"> <panel depends="$funcsummaryMQ$"> <title>ABC</title> <table> <search > <query>index="SAMPLE" </query> </search> <option name="count">100</option> <option name="dataOverlayMode">none</option> <option name="drilldown">none</option> <option name="percentagesRow">false</option> <option name="refresh.display">progressbar</option> <option name="rowNumbers">false</option> <option name="wrap">true</option> </table> </panel> </row>
I want to show the drop down value automatically about data name "landing_time". So I wrote my code like this. | eval st_time= round(landing_time,0) | where st_time<=90 | stats values by st_time ... See more...
I want to show the drop down value automatically about data name "landing_time". So I wrote my code like this. | eval st_time= round(landing_time,0) | where st_time<=90 | stats values by st_time | sort st_time  But it show all landing_time less than 90, not fil the landing_time. For example.. lading_time : 7, 15, 17, 24, 30.. drop down data show : 0, 1, 2, 3, 4, .......17, 18, 19,....30, 31...  How could I show only landing_time in the drop down?
Hello team, I have a requirement to add a single Refresh button to refresh all the panels that are loaded with current token. Is there a way to add refresh button at top of the panel ?   Thanks
In that case, you select only those results with non-null value in fields unique to index=*-palo.  Based on your original sample code, dest_ip is the field that all three sources need to match, but t... See more...
In that case, you select only those results with non-null value in fields unique to index=*-palo.  Based on your original sample code, dest_ip is the field that all three sources need to match, but threat and "Palo Detected User" in the end result only come from index=*-palo search.  Therefore, (index=*-palo threat="SMB: User Password Brute Force Attempt(40004)" src=* dest_port=445) OR (index=*-sep device_ip=*) OR (index="*wineventlog" src_ip=*) | eval dest_ip=coalesce(dest, device_ip, src_ip) | eval "Palo Detected User" = if(match(index, "-palo"), user, null()) | rename user as username | fields future_use3 src_ip dest_ip dest_port "Palo Detected User" device_name user_name rule threat repeat_count action ComputerName username | stats values(*) as * by dest_ip threat "Palo Detected User" | sort src_ip | rename future_use3 AS "Date/Time" src_ip AS "Source IP" dest_ip AS "Destination IP" user_name AS "Symantec Detected User @ Destination" device_name AS "Symantec Destination Node" rule AS "Firewall Rule" threat as "Threat Detected" action as "Action" repeat_count AS "Repeated Times" Technically, you can filter based on previous results.  But Splunk's groupby clause only tabulates non-null values.  So, this is cheaper than getting all 10000 stats before filtering.
Hi,  I get the following error when I start the Server Agent in ubuntu: Using java executable at /opt/appdynamics/machineagent/jre/bin/java ./machine-agent: 90: exec: /opt/appdynamics/machin... See more...
Hi,  I get the following error when I start the Server Agent in ubuntu: Using java executable at /opt/appdynamics/machineagent/jre/bin/java ./machine-agent: 90: exec: /opt/appdynamics/machineagent/jre/bin/java: Exec format error
I wonder if anyone else has experienced this and can advise? we upgraded from 9.0.3 to 9.1.1 also upgraded ES to 7.2.0 and CIM to 5.2.0 However when we go onto the CIM setup from the enterprise sec... See more...
I wonder if anyone else has experienced this and can advise? we upgraded from 9.0.3 to 9.1.1 also upgraded ES to 7.2.0 and CIM to 5.2.0 However when we go onto the CIM setup from the enterprise security menu now, the Tags Allow list is empty.  on the underlying datamodels.conf the tags_whitelist is still populated under the relevant data model stanzas but not displaying on the gui?    
Hi at all, I have to extract raw data from an Elastic Search infrastructure ingesting them in Splunk Enterprise 9.1.1. I saw that there are two apps in Splunkbase: "ElasticSPL Add-on for Splunk" an... See more...
Hi at all, I have to extract raw data from an Elastic Search infrastructure ingesting them in Splunk Enterprise 9.1.1. I saw that there are two apps in Splunkbase: "ElasticSPL Add-on for Splunk" and "Elasticsearch Data Integrator - Modular Input". The first seems to be not certified on Splunk Enterprise but only for Splunk Cloud. Does anyone used them? are they different, which one should be prefereable? Thank you for your advice. Ciao. Giuseppe
Hi @richgalloway , In the folder C:\Program Files\Thycotic Software\log\ There are many files like xyz.log.1,xyz.log.2,xyz.log3,....xyz.log.20..... Can we use xyz.log.* in monitoring stanza to mak... See more...
Hi @richgalloway , In the folder C:\Program Files\Thycotic Software\log\ There are many files like xyz.log.1,xyz.log.2,xyz.log3,....xyz.log.20..... Can we use xyz.log.* in monitoring stanza to make it available on splunk ? Thanks...
Yes, that could be. Anyway, thank you very much for the help @FelixLeh 
We have recently upgraded our Splunk Enterprise to the version 9.0.4. We observed that some of the behaviour in the system are different. For example, when we run a search with timechart/stats comma... See more...
We have recently upgraded our Splunk Enterprise to the version 9.0.4. We observed that some of the behaviour in the system are different. For example, when we run a search with timechart/stats command and without mentioning the index field, the results are same but under the Events part, it shows empty events for the respective timestamp. Below is the sample query and respective results. host=abc sourcetype=xyz |timechart count This was not occurring earlier. Though we don't mention the index field, the results use to populate with the respective event logs. Not sure whether this is the expected behavior or it's a bug. Is this something which we can fix from the end user side? Please anyone help me on this. I would also like to know the limitations or restrictions which are introduced with this Splunk version.