All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @koyachi, you could run something like this: | tstats count latest(_time) AS latest WHERE index=* BY index | eval latest=strftime(latest,"%Y-%m-%d %H:%M:%S") Ciao. Giuseppe
OK, so use the search I gave you for your alert and trigger when there are results. But, again, I am not sure how useful this is. What are you actually trying to achieve?
Hello, We have a splunk instance where we have configured security related logs. There are hundreds of indexes created on the instance and now we are planning to disable indexes that are no longer a... See more...
Hello, We have a splunk instance where we have configured security related logs. There are hundreds of indexes created on the instance and now we are planning to disable indexes that are no longer active. These security logs are now either going to Azure or they are no longer needed so they were stopped by the stakeholders. I am looking for a query that can give me the list of indexes with the most recent event timestamp in respective indexes. with this details plan is to look for the indexes that have event older than 1 month and consider them as migrated/no longer needed.
@ITWhisperer  The base search is - index=idx-cloud-azure "*09406b3b-b643-4e86-876e-4cd5f5a8be57*" and the logs with this search looks like-  amal_ResourceGroup: PLANALLOC-GSAS-NONPROD-D01-EUS2-GS... See more...
@ITWhisperer  The base search is - index=idx-cloud-azure "*09406b3b-b643-4e86-876e-4cd5f5a8be57*" and the logs with this search looks like-  amal_ResourceGroup: PLANALLOC-GSAS-NONPROD-D01-EUS2-GSAS-RG amal_ResourceName: ALLOCD01GSASTENANTCOSMOSDBACCOUNT01 - COSMOSDB ACCOUNT ADMIN OPERATION amal_ResourceType: MICROSOFT.INSIGHTS/ACTIVITYLOGALERTS amal_SubscriptionId: 09406B3B-B643-4E86-876E-4CD5F5A8BE57 caller: Microsoft.Insights/ActivityLogAlerts category: Alert correlationId: 6132ca53-ed10-4f13-8c2a-5496dd7decde identity: { [+] } level: Informational location: global operationName: Microsoft.Insights/ActivityLogAlerts/Activated/action properties: { [+] } resourceId: /subscriptions/09406b3b-b643-4e86-876e-4cd5f5a8be57/resourceGroups/planalloc-gsas-nonprod-d01-eus2-gsas-rg/providers/microsoft.insights/activityLogAlerts/allocd01gsastenantcosmosdbaccount01 - CosmosDB Account Admin Operation resultDescription: Alert: allocd01gsastenantcosmosdbaccount01 - CosmosDB Account Admin Operation called on action groups : alloceus2d01ag01 resultType: Succeeded time: 2023-11-06T11:53:58.8277854Z I have a field called "metricName" one of those values are CpuPercentage , MemoryPercentage etc. listed in the image So I am filtering my search with the metricName like this -  index=idx-cloud-azure "*09406b3b-b643-4e86-876e-4cd5f5a8be57*" metricName="MemoryPercentage" OR metricName="CpuPercentage" The condition for the alert is - when the count of CPUPercentage > 85 and MemoryPercentage > 85, it should trigger and alert.
Hi @Bisho-Fouad , I'm sorry I couldn't help you more. let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.:... See more...
Hi @Bisho-Fouad , I'm sorry I couldn't help you more. let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
This will give you what you have asked for, although I am not sure of the value of it as if your timeframe is wide enough, you will eventually get more than 85 events of each metric. index=idx-cloud... See more...
This will give you what you have asked for, although I am not sure of the value of it as if your timeframe is wide enough, you will eventually get more than 85 events of each metric. index=idx-cloud-azure "*09406b3b-b643-4e86-876e-4cd5f5a8be57*" | chart count by index, metricName | where CpuPercentage > 85 AND MemoryPercentage > 85 , 
@ITWhisperer  CPUPercentage and MemoryPercentage are the field values of a field called metricName. The condition for the alert is - when the count of CPUPercentage > 85 and MemoryPercentage > 85,... See more...
@ITWhisperer  CPUPercentage and MemoryPercentage are the field values of a field called metricName. The condition for the alert is - when the count of CPUPercentage > 85 and MemoryPercentage > 85, it should trigger an alert.   Please refer to the screenshot attached.
So, each event has a metricName? Which value are you comparing to 85, or are you just looking to count the different metricNames and see if you have more than 85 of both?
@gcusello  its really strange message. i will open ticket. thanks for your time.
@ITWhisperer  The logs look like this - amdl_ResourceGroup: PLANALLOC-GSAS-NONPROD-IACD01-EUS2-GSAS-RG amdl_ResourceName: ALLOC-EUS2-IACD01-GSAS-WINASP01 amdl_ResourceType: MICROSOFT.WEB/SER... See more...
@ITWhisperer  The logs look like this - amdl_ResourceGroup: PLANALLOC-GSAS-NONPROD-IACD01-EUS2-GSAS-RG amdl_ResourceName: ALLOC-EUS2-IACD01-GSAS-WINASP01 amdl_ResourceType: MICROSOFT.WEB/SERVERFARMS amdl_SubscriptionId: 09406B3B-B643-4E86-876E-4CD5F5A8BE57 average: 0 count: 1 maximum: 0 metricName: CpuPercentage minimum: 0 resourceId: /SUBSCRIPTIONS/09406B3B-B643-4E86-876E-4CD5F5A8BE57/RESOURCEGROUPS/PLANALLOC-GSAS-NONPROD-IACD01-EUS2-GSAS-RG/PROVIDERS/MICROSOFT.WEB/SERVERFARMS/ALLOC-EUS2-IACD01-GSAS-WINASP01 time: 2023-11-06T11:38:00Z timeGrain: PT1M total: 0
Hi @TISKAR, I never saw this issue, which browser are you using? Ciao. Giuseppe
Hello, I'm facing an issue when trying to create a user or access to savedsearch list. for example When I use the Splunk web interface to create a user, the page remains blank and doesn'... See more...
Hello, I'm facing an issue when trying to create a user or access to savedsearch list. for example When I use the Splunk web interface to create a user, the page remains blank and doesn't display as expected, as shown in the screenshot. Additionally,     I attempted to create a user through the CLI using the "splunk add" command, but I received no response, as indicated in the screenshot.     Have you encountered this problem before? How can I debug it? I'd like to mention that even when I attempt to view saved searches, the page remains blank and doesn't display them. Thank you
Depening on how many Apps are disregarded by the Readiness App you could check the Outlier Apps on Splunkbase. If your currently installed version supports Splunk 9.x it should support Python 3 as we... See more...
Depening on how many Apps are disregarded by the Readiness App you could check the Outlier Apps on Splunkbase. If your currently installed version supports Splunk 9.x it should support Python 3 as well. A note regarding 9.x Upgrades: While upgrading to 9.x  from 8.x or lower; check how much storage your KV Stores take up on your systems. The KV Storage gets upgraded in the process of the Update and Splunk wants to backup all Kvstores in the process. This requires at least twice the amount of storage your KVStores currently use. If you don't do so you have to manually upgrade them afterwards instead of as part of the Splunk Upgrade Process.
Hi @Bisho-Fouad , as I said,it's a strange message. For this reason I hinted to open a case to Splunk Support also because these are two important nodes in your infrastructure. Ciao. Giuseppe
Hi @gcusello  I am sure with my used password, if you have any other recommendations just send to me. thanks for your time, 
Everything that is needed should hopefully be found here: https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller LOGON_USERNAME="<do... See more...
Everything that is needed should hopefully be found here: https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller LOGON_USERNAME="<domain\username>" LOGON_PASSWORD="<pass>"  Provide domain\username and password information for the user to run the SplunkForwarder service. Specify the domain with the username in the format: domain\username. If you don't include these flags, the universal forwarder installs as the Local System user.   The Troubleshooting at the bottom of the link could also lead to answers regarding permissions and local admin groups
Hi @olawalePS, dot is a special char and sometimes requires the quotes or the rename. Anyway, good for you, see next time! Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated
Thanks, it works, but do you know why it did not work previously, there is no space in the "computerGeneral.lastEnrolledDate" field  
re @Wiessiet I also looked at that for a while and found these 2 articles which helped me:  https://www.michev.info/blog/post/3180/exchange-api-permissions-missing https://www.michev.info/bl... See more...
re @Wiessiet I also looked at that for a while and found these 2 articles which helped me:  https://www.michev.info/blog/post/3180/exchange-api-permissions-missing https://www.michev.info/blog/post/4067/modern-authentication-oauth-support-for-the-reporting-web-service-in-office-365   In short, these are the steps: To get there, App Registrations -> Select our app -> API permissions Then Add a permission -> go to APIs my organization uses -> paste: Office 365 Exchange Online -> Click the Office 365 Exchange Online API section -> then Application permissions Paste the ReportingWebService.Read.All permissions and tick it + approve afterwards. It took me a while as well.  + the Global reader permission addition from Roles & admins -> Global Reader -> add assignments  -> paste the app name and  grant your app the role rights...  https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/manage-roles-portal
Hi @olawalePS, try to rename the field: index="jamf" sourcetype="jssUapiComputer:computerGeneral" | dedup computer_meta.serial | rename computerGeneral.lastEnrolledDate AS lastEnrolledDate | eval t... See more...
Hi @olawalePS, try to rename the field: index="jamf" sourcetype="jssUapiComputer:computerGeneral" | dedup computer_meta.serial | rename computerGeneral.lastEnrolledDate AS lastEnrolledDate | eval timestamp = strptime(lastEnrolledDate, "%Y-%m-%dT%H:%M:%S.%3QZ") | eval sixtyDaysAgo = relative_time(now(), "-60d") | table computer_meta.name, lastEnrolledDate,timestamp, sixtyDaysAgo or using quotes ('). ciao. Giuseppe