All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi - i'm not great at Splunk and am struggling with this one: I have this search result in table form Name Status Server1 OK Server2 OK Server1 Deleted Server2 OK Server3 Di... See more...
Hi - i'm not great at Splunk and am struggling with this one: I have this search result in table form Name Status Server1 OK Server2 OK Server1 Deleted Server2 OK Server3 Discovered I'd like to filter out any servers that have status deleted so for the example i'd like Name Status Server2 OK Server3 Discovered Thanks for any help.
Unfortunately that doesn't do the trick, it seems that the regex below used to replace all line-breaks (\r\n) with a delimiter (***) is at fault : | rex mode=sed field=MSADChangedAttributes "s/\r\n/... See more...
Unfortunately that doesn't do the trick, it seems that the regex below used to replace all line-breaks (\r\n) with a delimiter (***) is at fault : | rex mode=sed field=MSADChangedAttributes "s/\r\n/***/g" It produces an extra "***'  after 'User Account Control:' So somehow I have to take into account that multiple line-breaks need to be replaced ..   SAM Account Name: - Display Name: - User Principal Name: - Home Directory: - Home Drive: - Script Path: - Profile Path: - User Workstations: - Password Last Set: - Account Expires: - Primary Group ID: - AllowedToDelegateTo: - Old UAC Value: 0x210 New UAC Value: 0x10 User Account Control: 'Don't Expire Password' - Disabled User Parameters: - SID History: - Logon Hours: -    
For new Splunk learners reference, this should be done on server.conf file: https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/serverconf All default ports listed: https://docs.splunk.com/Do... See more...
For new Splunk learners reference, this should be done on server.conf file: https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/serverconf All default ports listed: https://docs.splunk.com/Documentation/Splunk/9.1.1/InheritedDeployment/Ports
Thank you for the idea of the Submit button.  That helps.
Thanks for the solution! We can use | sistats values(myfield) as myfield to populate summary index.
We have a solution using the collect command, but the team we're engineering this for does not want the collect command in the alert because they often times use the search link to do investigations ... See more...
We have a solution using the collect command, but the team we're engineering this for does not want the collect command in the alert because they often times use the search link to do investigations and will generate additional collections (which kick off tickets). So we're thinking the log event alert action might be better to use, but you have to manually define each field that you want.  Trying to see if we can just pull all the fields of the event into the Event Text.
As I understand it, there is no default replication port.  The cluster will use whatever is in the [replication_port://<port>] or [replication_port-ssl://<port>] stanza.
Hi all, I been working on new rule and I just can't get it work fully. I know that there are many similar questions/answers on the forum related to this but none of them work for me. The events c... See more...
Hi all, I been working on new rule and I just can't get it work fully. I know that there are many similar questions/answers on the forum related to this but none of them work for me. The events contain field "TargetUserOrGroupName" containing an email address e.g.    TargetUserOrGroupName = testmail@gmail.com   I use split and mvindex to get only email domain out of TargetUserOrGroupName:   | eval email_domain = mvindex(split(TargetUserOrGroupName, "@"),1)     Then I want to check if "email_domain" is in lookup "free_email_domains.csv" I was able to get this easily working (partial) with sub search and inputlookup   | search email_domain=* [|inputlookup free_email_domains.csv.csv | fields email_domain] But there is issue with getting all data as sub-search returns only 10 000 entries resulting in free email domains not being in first 10k rows are not matched. The local csv file contains only column email_domains (i did added "is_free_domain" column with value "Yes" in lookup while testing but it can be removed if not needed) Any help is welcome as I cant get lookup command to work (maybe due to additional extracting of field value)  
They have to change the password with the LDAP provider.  Splunk does not offer a means to do so.
@elizabethl_splu is this feature available as of October 2023? Thanks in advance  
The latest Splunk add-on for Windows is version 8.8.0 https://splunkbase.splunk.com/app/742 For customers who are still on version 4.8.2 and they need to upgrade to version 8.8.0. The splunk documen... See more...
The latest Splunk add-on for Windows is version 8.8.0 https://splunkbase.splunk.com/app/742 For customers who are still on version 4.8.2 and they need to upgrade to version 8.8.0. The splunk documentation says to upgrade to version 5.0.1 first then upgrade to 6 then going from 6 to anything greater. Since the download of the Splunk add-on for windows version 6.0 is not available from splunkbase: 1. Where can the customer gets the Splunk add-on for Windows is version 6.0 (https://splunkbase.splunk.com/app/742)?  2. Can the customer upgrade directly from version 5.0.1 to 8.8.0 without breaking anything? Note: Assuming that they already follow the steps outlined in Upgrade the Splunk Add-on for Windows  when you are upgrading from a version of the Splunk Add-on for Windows that is earlier than 5.0.0
Hi There, I have noticed that since the most recent update (that changed the UI) the manage bookmarks dashboard is displaying incorrectly when set as my home page.  Has anyone else experienced this... See more...
Hi There, I have noticed that since the most recent update (that changed the UI) the manage bookmarks dashboard is displaying incorrectly when set as my home page.  Has anyone else experienced this / know of a fix? I have also attached an image that shows what the page is meant to look like (Normal Behaviour, Bottom Half of image) and what it looks like when set as the homepage (Strange behaviour on Home Page, Top half of image). Any help/info would be appreciated, Jamie
any update? I've replied before.
I dont think Alpine includes systemd but uses OpenRC instead.
Hi @ritzz, did you tried to use stats: <your-search> | stats values(mail_sub) AS mail_sub values(mail_to) AS mail_to BY mail_from the only probleme is that the lista in mail _sub and mail_to aren'... See more...
Hi @ritzz, did you tried to use stats: <your-search> | stats values(mail_sub) AS mail_sub values(mail_to) AS mail_to BY mail_from the only probleme is that the lista in mail _sub and mail_to aren't aligned, because they are sorted in alphabetically order one by one. if you want to have aligned values you have to combine them: <your-search> | eval mail=mail_sub." - ".mail_to | stats values(mail) AS mail BY mail_from Ciao. Giuseppe
hi i have some process data in the source=ps  want to get status if down. i have observed it can be done using PID. for example one command ./cybAgent.bin  which is running with some PID and after... See more...
hi i have some process data in the source=ps  want to get status if down. i have observed it can be done using PID. for example one command ./cybAgent.bin  which is running with some PID and after stopped it and started it PID will change and new PID is showing in the splunk data but how we can determine when its stopped below are the events before and after restarted 10/20/23 12:07:31.000 PM root    6043    0.7    1.2    6769248    201544    ?    Ssl    Oct06    158:59    ./cybAgent.bin    -a host = testhost 10/20/23 12:07:02.000 PM root    6043    0.7    1.2    6769248    201544    ?    Ssl    Oct06    158:59    ./cybAgent.bin    -a host = testhost           10/20/23 3:50:30.000 PM root 20414 1.0 1.1 6766164 189864 ? Ssl 01:41 2:12 ./cybAgent.bin -a host = testhost 10/20/23 3:50:03.000 PM root 20414 0.9 1.1 6766164 189864 ? Ssl 01:41 2:11 ./cybAgent.bin -a host = testhost
for my mail logs in JSON format, with my splunk query I created below table mail from mail sub mail to ABC account created for A abc@a.com ABC account created for B bcd@a.com ABC ... See more...
for my mail logs in JSON format, with my splunk query I created below table mail from mail sub mail to ABC account created for A abc@a.com ABC account created for B bcd@a.com ABC account created for C efg@a.com   In my splunk query I apply dedup on "mail sub".  as you can see unique but very similar subject remains in table which I want to further become joined or considered as 1 row. my ask: what are the possible  way that I can partially match table column values and they combined into 1 .? in matching logic if somehow we can use two columns for matching (mail from and mail sub)   mail from mail sub mail to count ABC account created for A abc@a.com 3   count 3 is coming on the basis of partial match in unique subject and mail from combined.  
Hi @DANITO115, did you followed the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial)? Anyway, this depends on the data typ... See more...
Hi @DANITO115, did you followed the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial)? Anyway, this depends on the data type you want to search and if you already extracted the status field. If you already extracted, you could simply use: index=your_index status=403 if not, you have to extract it using a regex, but to help you in this a sample of your logs is required. Otherwise, you can simply search the string 403 index=your_index 403 but you could have some false positive: Ciao. Giuseppe
Good morning, I need to know what the exact search command is in order to see this parameter: Enter a search that returns all web application events that contain a prohibited status (403)
Thanks for providing the hints. I tried both the changes eval and random command it did not work unfortunately. While I am sure the data exists.