All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @livehybrid  First of all, thanks for your response. When I search using index="wazuh-alerts", I get lots of events. For the search index="wazuh-alerts" "Medium", I get 7 events.
That doesn't sound right - are you referring to a multi-value field? | makeresults | fields - _time | eval value=split("ABC","") | search value=A AND value=C This search above will find a result fo... See more...
That doesn't sound right - are you referring to a multi-value field? | makeresults | fields - _time | eval value=split("ABC","") | search value=A AND value=C This search above will find a result for A and C, but if you change it to A and D it does not find results. Can you give an example of your results in the OR case
Note that this means when you select "All" it removes the other options if selected and vice versa, if you have All selected and choose one of the other options, it removes "All" from the list of sel... See more...
Note that this means when you select "All" it removes the other options if selected and vice versa, if you have All selected and choose one of the other options, it removes "All" from the list of selections.
To handle an 'All' static option in the multiselect, add this change element <change> <condition match="$form.webuser=&quot;*&quot;"> <set token="webuser"></set> ... See more...
To handle an 'All' static option in the multiselect, add this change element <change> <condition match="$form.webuser=&quot;*&quot;"> <set token="webuser"></set> </condition> <condition> <eval token="form.webuser">case(mvcount($form.webuser$)="2" AND mvindex($form.webuser$,0)="*", mvindex($form.webuser$,1), mvfind($form.webuser$,"^\\*$$")=mvcount($form.webuser$)-1, "*", true(), $form.webuser$)</eval> </condition> </change>
Hey all - I have a need to search for events in Splunk that contain two specific values in one field. I want the results to return only those events that have both values in them. I'm trying to use t... See more...
Hey all - I have a need to search for events in Splunk that contain two specific values in one field. I want the results to return only those events that have both values in them. I'm trying to use this: (my_field_name="value1" AND my_field_name="value2") This still returns results that have either value1, or value2, not events that contain both. How would I query for results that contain only both values, not individual values?
As a matter of fact, one actually doesn't need to specify the field name, which contains all the key value pair. I used following simple extract parameters: | extract pairdelim="," kvdelim=":" ... See more...
As a matter of fact, one actually doesn't need to specify the field name, which contains all the key value pair. I used following simple extract parameters: | extract pairdelim="," kvdelim=":" One doesn't need to escape "," as done in the first answer!
Hi, I have dataset in the following format Name,Status,Timestamp ABC,F, 04/24/2025 15:30:03 ABC, R, 04/24/2025 15:15:01 I need to be able to only display / render the latest status for a given... See more...
Hi, I have dataset in the following format Name,Status,Timestamp ABC,F, 04/24/2025 15:30:03 ABC, R, 04/24/2025 15:15:01 I need to be able to only display / render the latest status for a given name My output should like the following since the status as of 04/24/2025 15:30:03 is the most recent status. ABC,F, 04/24/2025 15:30:03 Appreciate your help.
Hi @pjac1029  You should use valuePrefix for this: <valuePrefix>"production\</valuePrefix>   You may also need to change some other fields, including your search, so that you get the *OR* ele... See more...
Hi @pjac1029  You should use valuePrefix for this: <valuePrefix>"production\</valuePrefix>   You may also need to change some other fields, including your search, so that you get the *OR* element, I opted for a "WHERE x IN (list)" in the above example. I used: <valuePrefix>"production\</valuePrefix> <prefix>user IN (</prefix> <suffix>)</suffix> <valueSuffix>"</valueSuffix> <delimiter>, </delimiter>   Below is a full working example dashboard: <form version="1.1"> <label>Answers production prefix</label> <fieldset submitButton="false" autoRun="true"> <input type="multiselect" token="user" searchWhenChanged="true"> <label>Username</label> <fieldForLabel>username</fieldForLabel> <fieldForValue>username</fieldForValue> <search> <query>| makeresults | eval username="Test1" | append [|makeresults | eval username="Test2"] | table username</query> </search> <valuePrefix>"production\</valuePrefix> <prefix>user IN (</prefix> <suffix>)</suffix> <valueSuffix>"</valueSuffix> <delimiter>, </delimiter> </input> </fieldset> <row> <panel> <table> <search> <query>| makeresults | eval user="production\Test1", action="Action1" | append [| makeresults | eval user="production\Test2", action="Action2"] | append [| makeresults | eval user="production\Test3", action="Action3"] | where $user$</query> <earliest>@h</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Please help me to Optimize this Splunk Query index:: rasp_ NOT [inputlookup Scanners_Ext.csv | fields forwarded_for] NOT [inputlookup Scanners_Int.csv | rename ip_addr AS forwarded_for | field... See more...
Please help me to Optimize this Splunk Query index:: rasp_ NOT [inputlookup Scanners_Ext.csv | fields forwarded_for] NOT [inputlookup Scanners_Int.csv | rename ip_addr AS forwarded_for | fields forwarded_for] NOT [inputlookup vz_nets.csv | rename netblock AS forwarded_for | fields forwarded_for] NOT (forwarded_for="140.108.26.152" OR forwarded_for="" OR forwarded_for="10.*" OR forwarded_for=null) app!="" app!="\"*\"" app!="VASTID*" host!="10.215*" host!="ip-10-*" host!="carogngsa*" host!="carogngta*" host!="carofuzedd** host!="*ebiz*" host!="echo*" host!="not logged" host!="onm*" host!="tfnm*" host!="voip*" host!="wfm*" category!="Config*" category!="Depend*" category!="Stat*" category!="Large*" category!="Uncaught*" category!="Unvalidated Redirect" category!="License" category!="*Parse*" action=* | stats count
Connection reset means that the other end either completely refused to connect or for some reason decided that the connection is erroneous and closed it abruptly. It is fairly uncommon for a HTTP se... See more...
Connection reset means that the other end either completely refused to connect or for some reason decided that the connection is erroneous and closed it abruptly. It is fairly uncommon for a HTTP server to properly respond to a request and close the connection abruptly like that (although it's not unheard of) - typically the server, even if the HTTP response contains an errorcode, closes the connection gracefully. Also in such case you'd see some response. So it's more probable that either the TLS handshake is terminated due to some error in connection negotiation or there is some network-level problem or you are simply connecting to a wrong port. The easiest way to troubleshoot would be to check network traffic on both ends during such curl request.
First things first. 1. Does the splunkd process run on the indexer? 2. Does it listen on the 8089 port? 3. Can you reach indexer's 8089 port from the SH? 4. What does "splunk status" say on the i... See more...
First things first. 1. Does the splunkd process run on the indexer? 2. Does it listen on the 8089 port? 3. Can you reach indexer's 8089 port from the SH? 4. What does "splunk status" say on the indexer?
This query will give the number of warnings for each indexer. index=_internal source=*license_usage.log type=SlaveWarnSummary
I created a  dashboard with an input  that allows the user to select a user field from a dropdown that's populated by a lookup table.  I need to use a multiselect input type to allo users to filter f... See more...
I created a  dashboard with an input  that allows the user to select a user field from a dropdown that's populated by a lookup table.  I need to use a multiselect input type to allo users to filter for one user or all users. I created a change form  to prefix the selected user with "production\" and run a query In the  panel that retrieves firewall events  where the user = the new token value (prefixed with "production\") since the user in the firewall index is prefixed with "production". the issue is that the set token  runs whenever i change the value in the multiselect and appends "production\" to the token value multiple times Is there a way to set the token AFTER the user has set the filter? also how do I filter for ALL events (when the user select ALL in the multiselect input? below is my XML code. Thanks in advance. <dashboard version="1.1" theme="light"> <label>new firewall</label> <row> <panel> <title> Request Information</title> <input type="multiselect" token="webuser" searchWhenChanged="true"> <label>User</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <delimiter> </delimiter> <fieldForLabel>UserName</fieldForLabel> <fieldForValue>UserName</fieldForValue> <search> <query>| inputlookup my_users.csv | dedup UserName | table UserName</query> </search> <change> <set token="webuser">prod\\$webuser$</set> </change> </input> <input type="time" token="webtime" searchWhenChanged="true"> <label></label> <default> <earliest>-4h@m</earliest> <latest>now</latest> </default> </input> <table> <search> <query>( index = main sourcetype = firewall ) action=blocked | search [ inputlookup my_users.csv | eval userName = "prod\\".UserName | rename userName as user | table user ] |table _time, $webuser$ index, action |search user=$webuser$</query> <earliest>$webtime.earliest$</earliest> <latest>$webtime.latest$</latest> </search> <option name="drilldown">cell</option> </table> </panel> </row> </dashboard>      
I'd like to include this in an email alert. I've got various emails to alert when going over but I'd like to show the number of warnings in that 60 day rolling window. 
Have you check that those indexes are there and splunk is running there without issues? Basically if you have GUI enabled on IDX you can try query from there or use CLI and do queries on command lin... See more...
Have you check that those indexes are there and splunk is running there without issues? Basically if you have GUI enabled on IDX you can try query from there or use CLI and do queries on command line too. Check also if there is any issues with internal logs. You can query those from internal indexes like  index=_internal log_level IN (error, warn)
*SIGH* I guessed that this might be the reason. It is just annoying that the settings from other apps are shown in part of the settings, but not this one.
Hi @ranafge  Do those 7 medium events look like the ones you would expect to see in the dashboards? Without seeing the data its hard for us to work out so please provide redacted samples if you can.... See more...
Hi @ranafge  Do those 7 medium events look like the ones you would expect to see in the dashboards? Without seeing the data its hard for us to work out so please provide redacted samples if you can. Is the data JSON structured? Does it have a field data -> vulnerability -> severity when looking at the event(s)?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @akanksha01  The ECONNRESET error indicates that the TCP connection was abruptly closed by the Splunk server or an intermediary network device (like a firewall or load balancer) before the reques... See more...
Hi @akanksha01  The ECONNRESET error indicates that the TCP connection was abruptly closed by the Splunk server or an intermediary network device (like a firewall or load balancer) before the request could be fully processed or the response sent. The curl command syntax itself for disabling the saved search appears correct. Troubleshooting steps: Verify Network Connectivity: Ensure the IP and port (typically 8089 for the Splunk management port) are correct and reachable from the machine running the curl command. Check for firewalls or network ACLs that might be blocking or resetting the connection at either source or destination. Check Splunk Server Status: Ensure the Splunk instance is running and responsive, are you able to reach the instance using netcat from your source? Examine Splunk Logs: Check the$SPLUNK_HOME/var/log/splunk/splunkd.log on the Splunk server for any errors occurring around the time you ran the curl command. This might provide clues about why the server closed the connection. Check Intermediary Devices: If you are connecting through a load balancer or proxy, check its logs and configuration. It might have shorter timeouts or specific rules causing the connection reset. Simplify the Request: Try the request without --max-time 60 initially to rule out timeout interactions, although disabling an alert should be very fast. You could also apply -v to provide a more verbose output. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @BlueSocket  The Splunk Web UI under Settings -> Server Settings -> Email Domains -> Allowed Domains specifically reads from and writes to the global configuration file located at $SPLUNK_HOME/et... See more...
Hi @BlueSocket  The Splunk Web UI under Settings -> Server Settings -> Email Domains -> Allowed Domains specifically reads from and writes to the global configuration file located at $SPLUNK_HOME/etc/system/local/alert_actions.conf. Since you configured allowedDomainList within an app context ($SPLUNK_HOME/etc/apps/my_app/local/alert_actions.conf), Splunk correctly applies this setting during its configuration layering process. This is why btool shows the setting as active and the warning message in Splunk Web disappears. However, the UI page itself is designed only to display and manage the setting present in the system/local directory. It does not reflect settings inherited from app-level configurations. Your configuration is active and enforced, but it won't appear on that specific UI page unless you define it globally in $SPLUNK_HOME/etc/system/local/alert_actions.conf. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi Team, I am using following CURL command curl -k -u admin:password -X POST https://<host>:<port>/servicesNS/akanksha_goel1/search/saved/searches/Clickstream-Microsurvey-Failure-Alert-Rule... See more...
Hi Team, I am using following CURL command curl -k -u admin:password -X POST https://<host>:<port>/servicesNS/akanksha_goel1/search/saved/searches/Clickstream-Microsurvey-Failure-Alert-Rule-Dev -d "disabled=1" --max-time 60 -H "Content-Type: application/x-www-form-urlencoded" But I am getting error as Error: read ECONNRESET kindly help us resolve the issue!