All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

@PickleRick About this “relationship between this field”   i have three fields:  id, type, node(or module) 1-id is unique numeric field. 2-type is category of each transaction. 3-module is name... See more...
@PickleRick About this “relationship between this field”   i have three fields:  id, type, node(or module) 1-id is unique numeric field. 2-type is category of each transaction. 3-module is name of each module that transactions pass through it.   these fields exist on all lines and separate by “id” also each transaction has it’s own “type” each transactions might be several lines Here is the example: 16:30:53:002 moduleA:[C1]L[143]T[10]ID[123456] 16:30:54:002 moduleA:[C2]L[143]T[10]ID[123456] 16:30:59:002 moduleF:[C1]L[143]T[11]ID[123456] 16:30:60:002 moduleZ:[C1]L[143]T[11]ID[123456]   16:30:53:002 moduleB:[C1]L[143]T[20]ID[987654] 16:30:54:002 moduleD:[C2]L[143]T[20]ID[987654] 16:30:59:002 moduleE:[C1]L[143]T[21]ID[987654]   Expected output: flow                                                                 Id          T     C moduleA > moduleF > moduleZ     123456   11    1 moduleB > moduleD > moduleE     987654 21    1   FYI: latest value of T=11 important for me. FYI: C meant count of number of detected this flow.   FYI: like APM that draw trace of transaction need something like that without create graph just find rare transaction patterns or flow.   Any idea? Thanks
Hi To getting help you must 1st tell what you have on your splunk. Describe your log events, indexes etc. This is doable if/when you have suitable data in splunk. r. Ismo
Ok it's working for adding another table ID and also text is showing when I've added provided above "else" but I had to do a splunk website cache by adding _bump and refresh version http://<your ho... See more...
Ok it's working for adding another table ID and also text is showing when I've added provided above "else" but I had to do a splunk website cache by adding _bump and refresh version http://<your host and port>/en-US/_bump  
Hi As time format it taken from your language, you could change on your language on URL e.g. http://splunk-rh8:8000/en-US/app/search/search?  to http://splunk-rh8:8000/en-GB/app/search/search? o... See more...
Hi As time format it taken from your language, you could change on your language on URL e.g. http://splunk-rh8:8000/en-US/app/search/search?  to http://splunk-rh8:8000/en-GB/app/search/search? or something else which have "better" time format. r. Ismo 
Hi With recent Splunk versions there are also Ingest Actions and if you have any Splunk Cloud instance then you could use Splunk Edge Processor as a one excellent option. r. Ismo
Have you check that your OS is supported by splunk with your current Splunk version?
Hi You could evaluate this by running this  index=123 sourcetype=grades line=6 AND class=4 | return Name If you have events which those values it returns Name="<value of field Name>"  Then it u... See more...
Hi You could evaluate this by running this  index=123 sourcetype=grades line=6 AND class=4 | return Name If you have events which those values it returns Name="<value of field Name>"  Then it use that with your outer search  r. Ismo
Hi Splunkers!   I would like to pass two macros as a token to a base search when multiple values in multiselect is selected, <done> <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quo... See more...
Hi Splunkers!   I would like to pass two macros as a token to a base search when multiple values in multiselect is selected, <done> <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;1T*&quot; AND $index$ == &quot;2S*&quot;"> <set token="standard">true</set> <set token="scada">true</set> <set token="aws">true</set> <set token="index_label">Standard, Scada, AWS</set> <set token="index_scope">`scada` OR `aws` OR `standard($cmdb_scope$)`</set> </condition> <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;1T*&quot;"> <set token="standard">true</set> <unset token="aws"></unset> <set token="scada">true</set> <set token="index_label"> Standard,  Scada</set> <set token="index_scope">`scada` OR `standard($cmdb_scope$)`</set> </condition> <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;2S*&quot;"> <unset token="standard"></unset> <set token="scada">true</set> <set token="aws">true</set> <set token="index_label"> Scada,  AWS</set> <set token="index_scope">`scada` OR `aws`</set> </condition> <condition match="$index$ == &quot;2S*&quot; AND $index$ == &quot;1T*&quot;"> <set token="standard">true</set> <unset token="scada"></unset> <set token="aws">true</set> <set token="index_label"> AWS,  Standard</set> <set token="index_scope">`aws` OR `standard($cmdb_scope$)`</set> </condition> <condition match="$index$ == &quot;2A*&quot;"> <unset token="standard"></unset> <set token="scada">true</set> <unset token="aws"></unset> <set token="index_label"> Scada</set> <set token="index_scope">`scada`</set> </condition> <condition match="$index$ == &quot;2S*&quot;"> <unset token="standard"></unset> <unset token="scada"></unset> <set token="aws">true</set> <set token="index_label"> AWS</set> <set token="index_scope">`aws`</set> </condition> <condition match="$index$ == &quot;1T*&quot;"> <set token="standard">true</set> <unset token="scada"></unset> <unset token="aws"></unset> <set token="index_label"> Standard</set> <set token="index_scope"> `standard($cmdb_scope$)`</set> </condition>     <input type="checkbox" token="index" searchWhenChanged="true">       <label>Choose  console</label>       <choice value="1T*"> Standard</choice>       <choice value="2A*"> Scada</choice>       <choice value="2S*"> AWS</choice>       <default>1T*, 2A*,2S* </default>       <initialValue>1T*, 2A*,2S* </initialValue>       <change>         <set token="index_label">$label$</set>       </change>       <change>         <condition match="$index$ == &quot;1T*&quot; AND $index$ == &quot;2A*&quot; AND $index$ == &quot;2S*&quot;">           <set token="standard">true</set>           <set token="scada">true</set>           <set token="aws">true</set>           <set token="index_scope">`scada` OR `standard($cmdb_scope$)` OR `aws`</set>         </condition>         <condition match="$index$ == &quot;1T*&quot; AND $index$ == &quot;2A*&quot;">           <set token="standard">true</set>           <set token="scada">true</set>           <unset token="aws"></unset>           <set token="index_scope">`scada` OR `standard($cmdb_scope$)`</set>         </condition>         <condition match="$index$ == &quot;2A*&quot; AND $index$ == &quot;2S*&quot;">           <unset token="standard"></unset>           <set token="scada">true</set>           <set token="aws">true</set>           <set token="index_scope">`scada` OR `aws`</set>         </condition>         <condition match="$index$ == &quot;2S*&quot; AND $index$ == &quot;1T*&quot;">           <set token="standard">true</set>           <unset token="scada"></unset>           <set token="aws">true</set>           <set token="index_scope">`aws` OR `standard($cmdb_scope$)`</set>         </condition>         <condition match="$index$ == &quot;2A*&quot;">           <unset token="standard"></unset>           <set token="scada">true</set>           <unset token="aws"></unset>           <set token="index_scope">`scada`</set>         </condition>         <condition match="$index$ == &quot;2S*&quot;">           <unset token="standard"></unset>           <unset token="scada"></unset>           <set token="aws">true</set>           <set token="index_scope">`aws`</set>         </condition>         <condition match="$index$ == &quot;1T*&quot;">           <set token="standard">true</set>           <unset token="scada"></unset>           <unset token="aws"></unset>           <set token="index_scope">`standard($cmdb_scope$)`</set>         </condition>        but this is not working, Only one value is  passed when selecting two values. Thanks!
We have distributed environment. The Splunk version is same. The OS version of indexer, search heads are same but for deployment server it is different. 
Hi @anandhalagaras1, you have two solutions: SEDCMD in props.conf (https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3OC4xNjk3MjA1MzU0*_ga_GS7YF8S63... See more...
Hi @anandhalagaras1, you have two solutions: SEDCMD in props.conf (https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3OC4xNjk3MjA1MzU0*_ga_GS7YF8S63Y*MTY5ODkyMDExMS40OTMuMS4xNjk4OTI0MDg4LjYwLjAuMA..*_ga_5EPM2P39FV*MTY5ODkyMDA2Ni42MDcuMS4xNjk4OTI0MjIxLjAuMC4w&_ga=2.60123688.468842275.1697205354-1656230378.1697205354&_gac=1.124697080.1697439287.Cj0KCQjwm66pBhDQARIsALIR2zDDpMo42f4nQY5ylRFnUfEyW_h0bbBBKVDgM2rBU1cuYdYxGqfUTWkaAjkxEALw_wcB#Anonymize_data_with_a_sed_script) [your_sourcetype] SEDCMD-mask = s/securityToken=[^ ]*/securityToken=********/g or using props.conf and transforms.conf /https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3OC4xNjk3MjA1MzU0*_ga_GS7YF8S63Y*MTY5ODkyMDExMS40OTMuMS4xNjk4OTI0MDg4LjYwLjAuMA..*_ga_5EPM2P39FV*MTY5ODkyMDA2Ni42MDcuMS4xNjk4OTI0MjIxLjAuMC4w&_ga=2.60123688.468842275.1697205354-1656230378.1697205354&_gac=1.124697080.1697439287.Cj0KCQjwm66pBhDQARIsALIR2zDDpMo42f4nQY5ylRFnUfEyW_h0bbBBKVDgM2rBU1cuYdYxGqfUTWkaAjkxEALw_wcB#Configure_the_transforms.conf_file ) in props.conf [your_sourcetype] TRANSFORMS-anonymize = anonymizer in transforms.conf [anonymizer] REGEX = securityToken=([^ ]*) FORMAT = securityToken=(*****) DEST_KEY = _raw I prefer the first solution. Ciao. Giuseppe
The search in the square brackets (the subsearch) is executed first. The results are then used to filter the main search. For example, if the subsearch returns 3 rows, these will be separate by ORs a... See more...
The search in the square brackets (the subsearch) is executed first. The results are then used to filter the main search. For example, if the subsearch returns 3 rows, these will be separate by ORs and the fields returned in each row will be separated by ANDs. index=123 sourcetype=grades ((line=6 AND class=4 AND index=123 AND _time=<whatever the time of the event is> AND <whatever other fields are in the event>) OR (line=6 AND class=4 AND index=123 AND _time=<whatever the time of the next event is> AND so on))
I am attempting to integrate Splunk Synthetic with a browser test.   The button i wish to press sits within an iframe, and i cannot seem to understand how do i need to setup the steps to select and... See more...
I am attempting to integrate Splunk Synthetic with a browser test.   The button i wish to press sits within an iframe, and i cannot seem to understand how do i need to setup the steps to select and press it. Each time the result says element not found What i tried so far: 1. Updated the name to CSS and gave the ID and Name of the element - not found 2. Tried to use a selector to select the iframe - the result shows i did not setup my selector correctly Are there any guides online that explain how to setup such a test using a recorder? Thank you in advance
I don't understand how this works, what should replace the square brackets in this situation or what does the search works here?       index=123 sourcetype=grades [|search index=123 sourcetype=gr... See more...
I don't understand how this works, what should replace the square brackets in this situation or what does the search works here?       index=123 sourcetype=grades [|search index=123 sourcetype=grades line=6 AND class=4|return Name]       Can anyone explain this please? I've tried to make it more simple with one search and get rid of the square brackets, but I always get different results.  
It is like this my main search. I figured it would be - however, I thought there might be a trick to dynamically leverage the distinct values of "a" and then vectorize the head command or so. Thank y... See more...
It is like this my main search. I figured it would be - however, I thought there might be a trick to dynamically leverage the distinct values of "a" and then vectorize the head command or so. Thank you anyhow!
@isoutamo We have good storage for Splunk db.    
Kindly help on how to mask the password present in the field "securityToken"  in the IIS logs. Sample event for reference.  2023-11-02 06:53:00 xx.xxx.xxx.xx GET /Security/Security/Logon 123 - xx.xx... See more...
Kindly help on how to mask the password present in the field "securityToken"  in the IIS logs. Sample event for reference.  2023-11-02 06:53:00 xx.xxx.xxx.xx GET /Security/Security/Logon 123 - xx.xxx.x.xxx Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.198+Safari/537.36 https://abc.xyz.bcd.com/security/security/ChangePasswordWithQuestions?userName=xyz@abc.com&securityToken=xxxxxxxx  200 0 0 14 2023-11-02 06:52:25 xx.xxx.xxx.xx GET / 111 - xx.xxx.x.xxx Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+HeadlessChrome/117.0.5938.88+Safari/537.36 https://abc.xyz.bnm.com/security/security/ChangePasswordWithQuestions?userName=xyz@abc.com&securityToken=xxxxxxxx  302 0 0 0 We are in Splunk Cloud and can we able to mask the password in GUI itself or should i need to move the output  of the client machines to the HF server and then place the props and transforms to mask the password.   Kindly help to check and update on the same.
Have you enough disk space for 1) creating those logs into disk 2) indexing those to _internal
Hi as usually it depends on your case. Here are some old posts and docs about those methods https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutsummaryindexing https://docs.splunk.... See more...
Hi as usually it depends on your case. Here are some old posts and docs about those methods https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutsummaryindexing https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Acceleratedatamodels https://community.splunk.com/t5/Security/Different-data-acceleration-methods/m-p/343319 https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139713 https://community.splunk.com/t5/Reporting/Data-model-saved-search-or-summary-index/m-p/346931 Which one is best for your use case it totally depends on your environment and your use case. r. Ismo
@isoutamo I can access it; I have admin access. I can see logs within 24 hours. But not for the last 24 hours.
@ITWhisperer  Yes, that why I specify last 24 hours