All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi You could evaluate this by running this  index=123 sourcetype=grades line=6 AND class=4 | return Name If you have events which those values it returns Name="<value of field Name>"  Then it u... See more...
Hi You could evaluate this by running this  index=123 sourcetype=grades line=6 AND class=4 | return Name If you have events which those values it returns Name="<value of field Name>"  Then it use that with your outer search  r. Ismo
Hi Splunkers!   I would like to pass two macros as a token to a base search when multiple values in multiselect is selected, <done> <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quo... See more...
Hi Splunkers!   I would like to pass two macros as a token to a base search when multiple values in multiselect is selected, <done> <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;1T*&quot; AND $index$ == &quot;2S*&quot;"> <set token="standard">true</set> <set token="scada">true</set> <set token="aws">true</set> <set token="index_label">Standard, Scada, AWS</set> <set token="index_scope">`scada` OR `aws` OR `standard($cmdb_scope$)`</set> </condition> <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;1T*&quot;"> <set token="standard">true</set> <unset token="aws"></unset> <set token="scada">true</set> <set token="index_label"> Standard,  Scada</set> <set token="index_scope">`scada` OR `standard($cmdb_scope$)`</set> </condition> <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;2S*&quot;"> <unset token="standard"></unset> <set token="scada">true</set> <set token="aws">true</set> <set token="index_label"> Scada,  AWS</set> <set token="index_scope">`scada` OR `aws`</set> </condition> <condition match="$index$ == &quot;2S*&quot; AND $index$ == &quot;1T*&quot;"> <set token="standard">true</set> <unset token="scada"></unset> <set token="aws">true</set> <set token="index_label"> AWS,  Standard</set> <set token="index_scope">`aws` OR `standard($cmdb_scope$)`</set> </condition> <condition match="$index$ == &quot;2A*&quot;"> <unset token="standard"></unset> <set token="scada">true</set> <unset token="aws"></unset> <set token="index_label"> Scada</set> <set token="index_scope">`scada`</set> </condition> <condition match="$index$ == &quot;2S*&quot;"> <unset token="standard"></unset> <unset token="scada"></unset> <set token="aws">true</set> <set token="index_label"> AWS</set> <set token="index_scope">`aws`</set> </condition> <condition match="$index$ == &quot;1T*&quot;"> <set token="standard">true</set> <unset token="scada"></unset> <unset token="aws"></unset> <set token="index_label"> Standard</set> <set token="index_scope"> `standard($cmdb_scope$)`</set> </condition>     <input type="checkbox" token="index" searchWhenChanged="true">       <label>Choose  console</label>       <choice value="1T*"> Standard</choice>       <choice value="2A*"> Scada</choice>       <choice value="2S*"> AWS</choice>       <default>1T*, 2A*,2S* </default>       <initialValue>1T*, 2A*,2S* </initialValue>       <change>         <set token="index_label">$label$</set>       </change>       <change>         <condition match="$index$ == &quot;1T*&quot; AND $index$ == &quot;2A*&quot; AND $index$ == &quot;2S*&quot;">           <set token="standard">true</set>           <set token="scada">true</set>           <set token="aws">true</set>           <set token="index_scope">`scada` OR `standard($cmdb_scope$)` OR `aws`</set>         </condition>         <condition match="$index$ == &quot;1T*&quot; AND $index$ == &quot;2A*&quot;">           <set token="standard">true</set>           <set token="scada">true</set>           <unset token="aws"></unset>           <set token="index_scope">`scada` OR `standard($cmdb_scope$)`</set>         </condition>         <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;2S*&quot;">           <unset token="standard"></unset>           <set token="scada">true</set>           <set token="aws">true</set>           <set token="index_scope">`scada` OR `aws`</set>         </condition>         <condition match="$index$ == &quot;2S*&quot; AND $index$ == &quot;1T*&quot;">           <set token="standard">true</set>           <unset token="scada"></unset>           <set token="aws">true</set>           <set token="index_scope">`aws` OR `standard($cmdb_scope$)`</set>         </condition>         <condition match="$index$ == &quot;2A*&quot;">           <unset token="standard"></unset>           <set token="scada">true</set>           <unset token="aws"></unset>           <set token="index_scope">`scada`</set>         </condition>         <condition match="$index$ == &quot;2S*&quot;">           <unset token="standard"></unset>           <unset token="scada"></unset>           <set token="aws">true</set>           <set token="index_scope">`aws`</set>         </condition>         <condition match="$index$ == &quot;1T*&quot;">           <set token="standard">true</set>           <unset token="scada"></unset>           <unset token="aws"></unset>           <set token="index_scope">`standard($cmdb_scope$)`</set>         </condition>        but this is not working, Only one value is  passed when selecting two values. Thanks!
We have distributed environment. The Splunk version is same. The OS version of indexer, search heads are same but for deployment server it is different. 
Hi @anandhalagaras1, you have two solutions: SEDCMD in props.conf (https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3OC4xNjk3MjA1MzU0*_ga_GS7YF8S63... See more...
Hi @anandhalagaras1, you have two solutions: SEDCMD in props.conf (https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3OC4xNjk3MjA1MzU0*_ga_GS7YF8S63Y*MTY5ODkyMDExMS40OTMuMS4xNjk4OTI0MDg4LjYwLjAuMA..*_ga_5EPM2P39FV*MTY5ODkyMDA2Ni42MDcuMS4xNjk4OTI0MjIxLjAuMC4w&_ga=2.60123688.468842275.1697205354-1656230378.1697205354&_gac=1.124697080.1697439287.Cj0KCQjwm66pBhDQARIsALIR2zDDpMo42f4nQY5ylRFnUfEyW_h0bbBBKVDgM2rBU1cuYdYxGqfUTWkaAjkxEALw_wcB#Anonymize_data_with_a_sed_script) [your_sourcetype] SEDCMD-mask = s/securityToken=[^ ]*/securityToken=********/g or using props.conf and transforms.conf /https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3OC4xNjk3MjA1MzU0*_ga_GS7YF8S63Y*MTY5ODkyMDExMS40OTMuMS4xNjk4OTI0MDg4LjYwLjAuMA..*_ga_5EPM2P39FV*MTY5ODkyMDA2Ni42MDcuMS4xNjk4OTI0MjIxLjAuMC4w&_ga=2.60123688.468842275.1697205354-1656230378.1697205354&_gac=1.124697080.1697439287.Cj0KCQjwm66pBhDQARIsALIR2zDDpMo42f4nQY5ylRFnUfEyW_h0bbBBKVDgM2rBU1cuYdYxGqfUTWkaAjkxEALw_wcB#Configure_the_transforms.conf_file ) in props.conf [your_sourcetype] TRANSFORMS-anonymize = anonymizer in transforms.conf [anonymizer] REGEX = securityToken=([^ ]*) FORMAT = securityToken=(*****) DEST_KEY = _raw I prefer the first solution. Ciao. Giuseppe
The search in the square brackets (the subsearch) is executed first. The results are then used to filter the main search. For example, if the subsearch returns 3 rows, these will be separate by ORs a... See more...
The search in the square brackets (the subsearch) is executed first. The results are then used to filter the main search. For example, if the subsearch returns 3 rows, these will be separate by ORs and the fields returned in each row will be separated by ANDs. index=123 sourcetype=grades ((line=6 AND class=4 AND index=123 AND _time=<whatever the time of the event is> AND <whatever other fields are in the event>) OR (line=6 AND class=4 AND index=123 AND _time=<whatever the time of the next event is> AND so on))
I am attempting to integrate Splunk Synthetic with a browser test.   The button i wish to press sits within an iframe, and i cannot seem to understand how do i need to setup the steps to select and... See more...
I am attempting to integrate Splunk Synthetic with a browser test.   The button i wish to press sits within an iframe, and i cannot seem to understand how do i need to setup the steps to select and press it. Each time the result says element not found What i tried so far: 1. Updated the name to CSS and gave the ID and Name of the element - not found 2. Tried to use a selector to select the iframe - the result shows i did not setup my selector correctly Are there any guides online that explain how to setup such a test using a recorder? Thank you in advance
I don't understand how this works, what should replace the square brackets in this situation or what does the search works here?       index=123 sourcetype=grades [|search index=123 sourcetype=gr... See more...
I don't understand how this works, what should replace the square brackets in this situation or what does the search works here?       index=123 sourcetype=grades [|search index=123 sourcetype=grades line=6 AND class=4|return Name]       Can anyone explain this please? I've tried to make it more simple with one search and get rid of the square brackets, but I always get different results.  
It is like this my main search. I figured it would be - however, I thought there might be a trick to dynamically leverage the distinct values of "a" and then vectorize the head command or so. Thank y... See more...
It is like this my main search. I figured it would be - however, I thought there might be a trick to dynamically leverage the distinct values of "a" and then vectorize the head command or so. Thank you anyhow!
@isoutamo We have good storage for Splunk db.    
Kindly help on how to mask the password present in the field "securityToken"  in the IIS logs. Sample event for reference.  2023-11-02 06:53:00 xx.xxx.xxx.xx GET /Security/Security/Logon 123 - xx.xx... See more...
Kindly help on how to mask the password present in the field "securityToken"  in the IIS logs. Sample event for reference.  2023-11-02 06:53:00 xx.xxx.xxx.xx GET /Security/Security/Logon 123 - xx.xxx.x.xxx Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.198+Safari/537.36 https://abc.xyz.bcd.com/security/security/ChangePasswordWithQuestions?userName=xyz@abc.com&securityToken=xxxxxxxx  200 0 0 14 2023-11-02 06:52:25 xx.xxx.xxx.xx GET / 111 - xx.xxx.x.xxx Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+HeadlessChrome/117.0.5938.88+Safari/537.36 https://abc.xyz.bnm.com/security/security/ChangePasswordWithQuestions?userName=xyz@abc.com&securityToken=xxxxxxxx  302 0 0 0 We are in Splunk Cloud and can we able to mask the password in GUI itself or should i need to move the output  of the client machines to the HF server and then place the props and transforms to mask the password.   Kindly help to check and update on the same.
Have you enough disk space for 1) creating those logs into disk 2) indexing those to _internal
Hi as usually it depends on your case. Here are some old posts and docs about those methods https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutsummaryindexing https://docs.splunk.... See more...
Hi as usually it depends on your case. Here are some old posts and docs about those methods https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutsummaryindexing https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Acceleratedatamodels https://community.splunk.com/t5/Security/Different-data-acceleration-methods/m-p/343319 https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139713 https://community.splunk.com/t5/Reporting/Data-model-saved-search-or-summary-index/m-p/346931 Which one is best for your use case it totally depends on your environment and your use case. r. Ismo
@isoutamo I can access it; I have admin access. I can see logs within 24 hours. But not for the last 24 hours.
@ITWhisperer  Yes, that why I specify last 24 hours 
Hi @Day, they are both ways to accelerate searches when you have to use structured fields (searches using fields, not full text searches. they both use schedule searches to take events from the raw... See more...
Hi @Day, they are both ways to accelerate searches when you have to use structured fields (searches using fields, not full text searches. they both use schedule searches to take events from the raw logs Data Models use DB tables, instead Summary indexes are standard Splunk indexes containing the extracted fields. You can accelerate Data Models. for more infos see at  https://docs.splunk.com/Documentation/Splunk/9.1.1/Knowledge/Aboutsummaryindexing https://docs.splunk.com/Documentation/Splunk/9.1.1/Knowledge/Aboutdatamodels Ciao. Giuseppe
It depends on your data and what you are trying to get from it. It also depends on what sort of optimisation you are trying to achieve, e.g. speed, length of SPL, size of configuration data, maintena... See more...
It depends on your data and what you are trying to get from it. It also depends on what sort of optimisation you are trying to achieve, e.g. speed, length of SPL, size of configuration data, maintenance overhead, etc.
Which kind of environment you have (single node, distributed) and have all nodes updated to the same version Splunk + OS and are all nodes using same OS?
Hi Are you sure that you have access to _internal index? You could check it by | rest /services/authentication/users splunk_server=local f=roles | search title="<YOUR SPLUNK ACCOUNT NAME>" | field... See more...
Hi Are you sure that you have access to _internal index? You could check it by | rest /services/authentication/users splunk_server=local f=roles | search title="<YOUR SPLUNK ACCOUNT NAME>" | fields title roles | join roles [| rest /services/authorization/roles | fields title srchIndexesAllowed srchIndexesDefault srchIndexesDisallowed | dedup title | rename title as roles ] | transpose Just look what you have on allowed and disallowed rows. r. Ismo 
Hi i'm new hier and i still don't understand the difference between summary indexing and data modeling. When should I use each? Or which is the best option for optimizing searches?
Hi, Not sure why it's so difficult to convert timeformat from AM/PM to 24 hours format using timechart.  Our command is timechart span=10m dc(src_sg_info) by src_sg_info X-axes use 12-hours format... See more...
Hi, Not sure why it's so difficult to convert timeformat from AM/PM to 24 hours format using timechart.  Our command is timechart span=10m dc(src_sg_info) by src_sg_info X-axes use 12-hours format. I have google a lot without finding any answer on it. Hope someone can give me some hints on it.    Thanks Geir