Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-20-2023
09:12 AM
1 Karma
Hi @gtmj - Unfortunately it's still in development so not available quite yet. We appreciate your patience!
10-20-2023
09:02 AM
Can you work with Support to get the older version? Also, what type of Splunk instance are you doing this on? Is it a UF, HF, Search Head, Indexer, etc? I think that might help you approach this. ...
See more...
Can you work with Support to get the older version? Also, what type of Splunk instance are you doing this on? Is it a UF, HF, Search Head, Indexer, etc? I think that might help you approach this. Based on the docs it sounds like losing some index configurations are part of the breaking changes. For example, if this was an Indexer you're upgrading and relying on the indexes.conf in the Windows app to define that index, then you'll need to move those configurations into another indexes.conf within your deployment. A similar situation exists for configurations included within authorize.conf for that older version. BUT, if this is just a UF, then some of this might be a moot point because UF's don't care about the indexes.conf configurations. You would probably have less concerns about doing this on a UF versus a Splunk instance that is part of the core infrastructure versus an edge agent.
10-20-2023
08:25 AM
1 Karma
To determine if a given field value is in a lookup file, use the lookup command. | eval email_domain = mvindex(split(TargetUserOrGroupName, "@"),1)
| lookup free_email_domains.csv.csv email_domai...
See more...
To determine if a given field value is in a lookup file, use the lookup command. | eval email_domain = mvindex(split(TargetUserOrGroupName, "@"),1)
| lookup free_email_domains.csv.csv email_domain OUTPUT is_free_domain
``` If email_domain is not in the lookup file then is_free_domain will be null ```
| where isnotnull(is_free_domain)
10-20-2023
08:14 AM
1 Karma
Using just the where command to filter results just removes one Server1 event rather than all of them. Instead, you can use the eventstats command to associated the Deleted status with all events fr...
See more...
Using just the where command to filter results just removes one Server1 event rather than all of them. Instead, you can use the eventstats command to associated the Deleted status with all events from the same server. Then filter on that association. | eventstats count(eval(Status="Deleted")) as is_deleted by Name
| where is_deleted=1
| fields - is_deleted
10-20-2023
08:09 AM
2 Karma
As @richgalloway said, there is no “default” ports, just examples. You could choose what ever you want.
10-20-2023
07:56 AM
Hi - i'm not great at Splunk and am struggling with this one: I have this search result in table form Name Status Server1 OK Server2 OK Server1 Deleted Server2 OK Server3 Di...
See more...
Hi - i'm not great at Splunk and am struggling with this one: I have this search result in table form Name Status Server1 OK Server2 OK Server1 Deleted Server2 OK Server3 Discovered I'd like to filter out any servers that have status deleted so for the example i'd like Name Status Server2 OK Server3 Discovered Thanks for any help.
Labels
- Labels:
-
table
10-20-2023
07:50 AM
Unfortunately that doesn't do the trick, it seems that the regex below used to replace all line-breaks (\r\n) with a delimiter (***) is at fault : | rex mode=sed field=MSADChangedAttributes "s/\r\n/...
See more...
Unfortunately that doesn't do the trick, it seems that the regex below used to replace all line-breaks (\r\n) with a delimiter (***) is at fault : | rex mode=sed field=MSADChangedAttributes "s/\r\n/***/g" It produces an extra "***' after 'User Account Control:' So somehow I have to take into account that multiple line-breaks need to be replaced .. SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: -
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x10
User Account Control:
'Don't Expire Password' - Disabled
User Parameters: -
SID History: -
Logon Hours: -
10-20-2023
06:51 AM
2 Karma
For new Splunk learners reference, this should be done on server.conf file: https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/serverconf All default ports listed: https://docs.splunk.com/Do...
See more...
For new Splunk learners reference, this should be done on server.conf file: https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/serverconf All default ports listed: https://docs.splunk.com/Documentation/Splunk/9.1.1/InheritedDeployment/Ports
10-20-2023
06:39 AM
Thank you for the idea of the Submit button. That helps.
10-20-2023
06:36 AM
Thanks for the solution! We can use | sistats values(myfield) as myfield to populate summary index.
We have a solution using the collect command, but the team we're engineering this for does not want the collect command in the alert because they often times use the search link to do investigations ...
See more...
We have a solution using the collect command, but the team we're engineering this for does not want the collect command in the alert because they often times use the search link to do investigations and will generate additional collections (which kick off tickets). So we're thinking the log event alert action might be better to use, but you have to manually define each field that you want. Trying to see if we can just pull all the fields of the event into the Event Text.
10-20-2023
06:16 AM
2 Karma
As I understand it, there is no default replication port. The cluster will use whatever is in the [replication_port://<port>] or [replication_port-ssl://<port>] stanza.
10-20-2023
06:14 AM
Hi all, I been working on new rule and I just can't get it work fully. I know that there are many similar questions/answers on the forum related to this but none of them work for me. The events c...
See more...
Hi all, I been working on new rule and I just can't get it work fully. I know that there are many similar questions/answers on the forum related to this but none of them work for me. The events contain field "TargetUserOrGroupName" containing an email address e.g. TargetUserOrGroupName = testmail@gmail.com I use split and mvindex to get only email domain out of TargetUserOrGroupName: | eval email_domain = mvindex(split(TargetUserOrGroupName, "@"),1) Then I want to check if "email_domain" is in lookup "free_email_domains.csv" I was able to get this easily working (partial) with sub search and inputlookup | search email_domain=* [|inputlookup free_email_domains.csv.csv | fields email_domain] But there is issue with getting all data as sub-search returns only 10 000 entries resulting in free email domains not being in first 10k rows are not matched. The local csv file contains only column email_domains (i did added "is_free_domain" column with value "Yes" in lookup while testing but it can be removed if not needed) Any help is welcome as I cant get lookup command to work (maybe due to additional extracting of field value)
10-20-2023
06:06 AM
1 Karma
They have to change the password with the LDAP provider. Splunk does not offer a means to do so.
10-20-2023
05:59 AM
@elizabethl_splu is this feature available as of October 2023? Thanks in advance
10-20-2023
05:57 AM
The latest Splunk add-on for Windows is version 8.8.0 https://splunkbase.splunk.com/app/742 For customers who are still on version 4.8.2 and they need to upgrade to version 8.8.0. The splunk documen...
See more...
The latest Splunk add-on for Windows is version 8.8.0 https://splunkbase.splunk.com/app/742 For customers who are still on version 4.8.2 and they need to upgrade to version 8.8.0. The splunk documentation says to upgrade to version 5.0.1 first then upgrade to 6 then going from 6 to anything greater. Since the download of the Splunk add-on for windows version 6.0 is not available from splunkbase: 1. Where can the customer gets the Splunk add-on for Windows is version 6.0 (https://splunkbase.splunk.com/app/742)? 2. Can the customer upgrade directly from version 5.0.1 to 8.8.0 without breaking anything? Note: Assuming that they already follow the steps outlined in Upgrade the Splunk Add-on for Windows when you are upgrading from a version of the Splunk Add-on for Windows that is earlier than 5.0.0
- Tags:
- 742
Labels
- Labels:
-
upgrade
10-20-2023
05:06 AM
Hi There, I have noticed that since the most recent update (that changed the UI) the manage bookmarks dashboard is displaying incorrectly when set as my home page. Has anyone else experienced this...
See more...
Hi There, I have noticed that since the most recent update (that changed the UI) the manage bookmarks dashboard is displaying incorrectly when set as my home page. Has anyone else experienced this / know of a fix? I have also attached an image that shows what the page is meant to look like (Normal Behaviour, Bottom Half of image) and what it looks like when set as the homepage (Strange behaviour on Home Page, Top half of image). Any help/info would be appreciated, Jamie
Labels
- Labels:
-
dashboard
10-20-2023
04:58 AM
any update? I've replied before.
10-20-2023
04:31 AM
I dont think Alpine includes systemd but uses OpenRC instead.
- Tags:
- I dont
10-20-2023
03:36 AM
Hi @ritzz, did you tried to use stats: <your-search>
| stats values(mail_sub) AS mail_sub values(mail_to) AS mail_to BY mail_from the only probleme is that the lista in mail _sub and mail_to aren'...
See more...
Hi @ritzz, did you tried to use stats: <your-search>
| stats values(mail_sub) AS mail_sub values(mail_to) AS mail_to BY mail_from the only probleme is that the lista in mail _sub and mail_to aren't aligned, because they are sorted in alphabetically order one by one. if you want to have aligned values you have to combine them: <your-search>
| eval mail=mail_sub." - ".mail_to
| stats values(mail) AS mail BY mail_from Ciao. Giuseppe
