Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
11-02-2023
05:21 AM
@PickleRick About this “relationship between this field” i have three fields: id, type, node(or module) 1-id is unique numeric field. 2-type is category of each transaction. 3-module is name...
See more...
@PickleRick About this “relationship between this field” i have three fields: id, type, node(or module) 1-id is unique numeric field. 2-type is category of each transaction. 3-module is name of each module that transactions pass through it. these fields exist on all lines and separate by “id” also each transaction has it’s own “type” each transactions might be several lines Here is the example: 16:30:53:002 moduleA:[C1]L[143]T[10]ID[123456]
16:30:54:002 moduleA:[C2]L[143]T[10]ID[123456]
16:30:59:002 moduleF:[C1]L[143]T[11]ID[123456]
16:30:60:002 moduleZ:[C1]L[143]T[11]ID[123456] 16:30:53:002 moduleB:[C1]L[143]T[20]ID[987654] 16:30:54:002 moduleD:[C2]L[143]T[20]ID[987654] 16:30:59:002 moduleE:[C1]L[143]T[21]ID[987654] Expected output: flow Id T C moduleA > moduleF > moduleZ 123456 11 1 moduleB > moduleD > moduleE 987654 21 1 FYI: latest value of T=11 important for me. FYI: C meant count of number of detected this flow. FYI: like APM that draw trace of transaction need something like that without create graph just find rare transaction patterns or flow. Any idea? Thanks
11-02-2023
05:01 AM
Ok it's working for adding another table ID and also text is showing when I've added provided above "else" but I had to do a splunk website cache by adding _bump and refresh version http://<your ho...
See more...
Ok it's working for adding another table ID and also text is showing when I've added provided above "else" but I had to do a splunk website cache by adding _bump and refresh version http://<your host and port>/en-US/_bump
11-02-2023
04:59 AM
1 Karma
Hi As time format it taken from your language, you could change on your language on URL e.g. http://splunk-rh8:8000/en-US/app/search/search? to http://splunk-rh8:8000/en-GB/app/search/search? o...
See more...
Hi As time format it taken from your language, you could change on your language on URL e.g. http://splunk-rh8:8000/en-US/app/search/search? to http://splunk-rh8:8000/en-GB/app/search/search? or something else which have "better" time format. r. Ismo
11-02-2023
04:51 AM
Hi With recent Splunk versions there are also Ingest Actions and if you have any Splunk Cloud instance then you could use Splunk Edge Processor as a one excellent option. r. Ismo
11-02-2023
04:32 AM
Have you check that your OS is supported by splunk with your current Splunk version?
11-02-2023
04:29 AM
Hi You could evaluate this by running this index=123 sourcetype=grades line=6 AND class=4
| return Name If you have events which those values it returns Name="<value of field Name>" Then it u...
See more...
Hi You could evaluate this by running this index=123 sourcetype=grades line=6 AND class=4
| return Name If you have events which those values it returns Name="<value of field Name>" Then it use that with your outer search r. Ismo
11-02-2023
04:29 AM
Hi Splunkers! I would like to pass two macros as a token to a base search when multiple values in multiselect is selected, <done> <condition match="$index$ == "2A*" AND $index$ == &quo...
See more...
Hi Splunkers! I would like to pass two macros as a token to a base search when multiple values in multiselect is selected, <done> <condition match="$index$ == "2A*" AND $index$ == "1T*" AND $index$ == "2S*""> <set token="standard">true</set> <set token="scada">true</set> <set token="aws">true</set> <set token="index_label">Standard, Scada, AWS</set> <set token="index_scope">`scada` OR `aws` OR `standard($cmdb_scope$)`</set> </condition> <condition match="$index$ == "2A*" AND $index$ == "1T*""> <set token="standard">true</set> <unset token="aws"></unset> <set token="scada">true</set> <set token="index_label"> Standard, Scada</set> <set token="index_scope">`scada` OR `standard($cmdb_scope$)`</set> </condition> <condition match="$index$ == "2A*" AND $index$ == "2S*""> <unset token="standard"></unset> <set token="scada">true</set> <set token="aws">true</set> <set token="index_label"> Scada, AWS</set> <set token="index_scope">`scada` OR `aws`</set> </condition> <condition match="$index$ == "2S*" AND $index$ == "1T*""> <set token="standard">true</set> <unset token="scada"></unset> <set token="aws">true</set> <set token="index_label"> AWS, Standard</set> <set token="index_scope">`aws` OR `standard($cmdb_scope$)`</set> </condition> <condition match="$index$ == "2A*""> <unset token="standard"></unset> <set token="scada">true</set> <unset token="aws"></unset> <set token="index_label"> Scada</set> <set token="index_scope">`scada`</set> </condition> <condition match="$index$ == "2S*""> <unset token="standard"></unset> <unset token="scada"></unset> <set token="aws">true</set> <set token="index_label"> AWS</set> <set token="index_scope">`aws`</set> </condition> <condition match="$index$ == "1T*""> <set token="standard">true</set> <unset token="scada"></unset> <unset token="aws"></unset> <set token="index_label"> Standard</set> <set token="index_scope"> `standard($cmdb_scope$)`</set> </condition> <input type="checkbox" token="index" searchWhenChanged="true"> <label>Choose console</label> <choice value="1T*"> Standard</choice> <choice value="2A*"> Scada</choice> <choice value="2S*"> AWS</choice> <default>1T*, 2A*,2S* </default> <initialValue>1T*, 2A*,2S* </initialValue> <change> <set token="index_label">$label$</set> </change> <change> <condition match="$index$ == "1T*" AND $index$ == "2A*" AND $index$ == "2S*""> <set token="standard">true</set> <set token="scada">true</set> <set token="aws">true</set> <set token="index_scope">`scada` OR `standard($cmdb_scope$)` OR `aws`</set> </condition> <condition match="$index$ == "1T*" AND $index$ == "2A*""> <set token="standard">true</set> <set token="scada">true</set> <unset token="aws"></unset> <set token="index_scope">`scada` OR `standard($cmdb_scope$)`</set> </condition> <condition match="$index$ == "2A*" AND $index$ == "2S*""> <unset token="standard"></unset> <set token="scada">true</set> <set token="aws">true</set> <set token="index_scope">`scada` OR `aws`</set> </condition> <condition match="$index$ == "2S*" AND $index$ == "1T*""> <set token="standard">true</set> <unset token="scada"></unset> <set token="aws">true</set> <set token="index_scope">`aws` OR `standard($cmdb_scope$)`</set> </condition> <condition match="$index$ == "2A*""> <unset token="standard"></unset> <set token="scada">true</set> <unset token="aws"></unset> <set token="index_scope">`scada`</set> </condition> <condition match="$index$ == "2S*""> <unset token="standard"></unset> <unset token="scada"></unset> <set token="aws">true</set> <set token="index_scope">`aws`</set> </condition> <condition match="$index$ == "1T*""> <set token="standard">true</set> <unset token="scada"></unset> <unset token="aws"></unset> <set token="index_scope">`standard($cmdb_scope$)`</set> </condition> but this is not working, Only one value is passed when selecting two values. Thanks!
11-02-2023
04:29 AM
We have distributed environment. The Splunk version is same. The OS version of indexer, search heads are same but for deployment server it is different.
11-02-2023
04:27 AM
1 Karma
Hi @anandhalagaras1, you have two solutions: SEDCMD in props.conf (https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3OC4xNjk3MjA1MzU0*_ga_GS7YF8S63...
See more...
Hi @anandhalagaras1, you have two solutions: SEDCMD in props.conf (https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3OC4xNjk3MjA1MzU0*_ga_GS7YF8S63Y*MTY5ODkyMDExMS40OTMuMS4xNjk4OTI0MDg4LjYwLjAuMA..*_ga_5EPM2P39FV*MTY5ODkyMDA2Ni42MDcuMS4xNjk4OTI0MjIxLjAuMC4w&_ga=2.60123688.468842275.1697205354-1656230378.1697205354&_gac=1.124697080.1697439287.Cj0KCQjwm66pBhDQARIsALIR2zDDpMo42f4nQY5ylRFnUfEyW_h0bbBBKVDgM2rBU1cuYdYxGqfUTWkaAjkxEALw_wcB#Anonymize_data_with_a_sed_script) [your_sourcetype]
SEDCMD-mask = s/securityToken=[^ ]*/securityToken=********/g or using props.conf and transforms.conf /https://docs.splunk.com/Documentation/Splunk/latest/Data/Anonymizedata?_gl=1*mf7xvx*_ga*MTY1NjIzMDM3OC4xNjk3MjA1MzU0*_ga_GS7YF8S63Y*MTY5ODkyMDExMS40OTMuMS4xNjk4OTI0MDg4LjYwLjAuMA..*_ga_5EPM2P39FV*MTY5ODkyMDA2Ni42MDcuMS4xNjk4OTI0MjIxLjAuMC4w&_ga=2.60123688.468842275.1697205354-1656230378.1697205354&_gac=1.124697080.1697439287.Cj0KCQjwm66pBhDQARIsALIR2zDDpMo42f4nQY5ylRFnUfEyW_h0bbBBKVDgM2rBU1cuYdYxGqfUTWkaAjkxEALw_wcB#Configure_the_transforms.conf_file ) in props.conf [your_sourcetype]
TRANSFORMS-anonymize = anonymizer in transforms.conf [anonymizer]
REGEX = securityToken=([^ ]*)
FORMAT = securityToken=(*****)
DEST_KEY = _raw I prefer the first solution. Ciao. Giuseppe
11-02-2023
04:26 AM
The search in the square brackets (the subsearch) is executed first. The results are then used to filter the main search. For example, if the subsearch returns 3 rows, these will be separate by ORs a...
See more...
The search in the square brackets (the subsearch) is executed first. The results are then used to filter the main search. For example, if the subsearch returns 3 rows, these will be separate by ORs and the fields returned in each row will be separated by ANDs. index=123 sourcetype=grades ((line=6 AND class=4 AND index=123 AND _time=<whatever the time of the event is> AND <whatever other fields are in the event>) OR (line=6 AND class=4 AND index=123 AND _time=<whatever the time of the next event is> AND so on))
11-02-2023
04:18 AM
1 Karma
I am attempting to integrate Splunk Synthetic with a browser test. The button i wish to press sits within an iframe, and i cannot seem to understand how do i need to setup the steps to select and...
See more...
I am attempting to integrate Splunk Synthetic with a browser test. The button i wish to press sits within an iframe, and i cannot seem to understand how do i need to setup the steps to select and press it. Each time the result says element not found What i tried so far: 1. Updated the name to CSS and gave the ID and Name of the element - not found 2. Tried to use a selector to select the iframe - the result shows i did not setup my selector correctly Are there any guides online that explain how to setup such a test using a recorder? Thank you in advance
Labels
11-02-2023
04:15 AM
I don't understand how this works, what should replace the square brackets in this situation or what does the search works here? index=123 sourcetype=grades [|search index=123 sourcetype=gr...
See more...
I don't understand how this works, what should replace the square brackets in this situation or what does the search works here? index=123 sourcetype=grades [|search index=123 sourcetype=grades line=6 AND class=4|return Name] Can anyone explain this please? I've tried to make it more simple with one search and get rid of the square brackets, but I always get different results.
- Tags:
- search
Labels
- Labels:
-
subsearch
11-02-2023
04:15 AM
It is like this my main search. I figured it would be - however, I thought there might be a trick to dynamically leverage the distinct values of "a" and then vectorize the head command or so. Thank y...
See more...
It is like this my main search. I figured it would be - however, I thought there might be a trick to dynamically leverage the distinct values of "a" and then vectorize the head command or so. Thank you anyhow!
11-02-2023
04:08 AM
@isoutamo We have good storage for Splunk db.
11-02-2023
04:03 AM
Kindly help on how to mask the password present in the field "securityToken" in the IIS logs. Sample event for reference. 2023-11-02 06:53:00 xx.xxx.xxx.xx GET /Security/Security/Logon 123 - xx.xx...
See more...
Kindly help on how to mask the password present in the field "securityToken" in the IIS logs. Sample event for reference. 2023-11-02 06:53:00 xx.xxx.xxx.xx GET /Security/Security/Logon 123 - xx.xxx.x.xxx Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/86.0.4240.198+Safari/537.36 https://abc.xyz.bcd.com/security/security/ChangePasswordWithQuestions?userName=xyz@abc.com&securityToken=xxxxxxxx 200 0 0 14 2023-11-02 06:52:25 xx.xxx.xxx.xx GET / 111 - xx.xxx.x.xxx Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+HeadlessChrome/117.0.5938.88+Safari/537.36 https://abc.xyz.bnm.com/security/security/ChangePasswordWithQuestions?userName=xyz@abc.com&securityToken=xxxxxxxx 302 0 0 0 We are in Splunk Cloud and can we able to mask the password in GUI itself or should i need to move the output of the client machines to the HF server and then place the props and transforms to mask the password. Kindly help to check and update on the same.
Labels
- Labels:
-
encryption
11-02-2023
04:03 AM
Have you enough disk space for 1) creating those logs into disk 2) indexing those to _internal
11-02-2023
04:01 AM
1 Karma
Hi as usually it depends on your case. Here are some old posts and docs about those methods https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutsummaryindexing https://docs.splunk....
See more...
Hi as usually it depends on your case. Here are some old posts and docs about those methods https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutsummaryindexing https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Acceleratedatamodels https://community.splunk.com/t5/Security/Different-data-acceleration-methods/m-p/343319 https://community.splunk.com/t5/Reporting/What-are-the-differences-between-the-various-features-named-quot/m-p/139713 https://community.splunk.com/t5/Reporting/Data-model-saved-search-or-summary-index/m-p/346931 Which one is best for your use case it totally depends on your environment and your use case. r. Ismo
11-02-2023
03:59 AM
@isoutamo I can access it; I have admin access. I can see logs within 24 hours. But not for the last 24 hours.
11-02-2023
03:57 AM
@ITWhisperer Yes, that why I specify last 24 hours
