All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi @pjac1029  You should use valuePrefix for this: <valuePrefix>"production\</valuePrefix>   You may also need to change some other fields, including your search, so that you get the *OR* ele... See more...
Hi @pjac1029  You should use valuePrefix for this: <valuePrefix>"production\</valuePrefix>   You may also need to change some other fields, including your search, so that you get the *OR* element, I opted for a "WHERE x IN (list)" in the above example. I used: <valuePrefix>"production\</valuePrefix> <prefix>user IN (</prefix> <suffix>)</suffix> <valueSuffix>"</valueSuffix> <delimiter>, </delimiter>   Below is a full working example dashboard: <form version="1.1"> <label>Answers production prefix</label> <fieldset submitButton="false" autoRun="true"> <input type="multiselect" token="user" searchWhenChanged="true"> <label>Username</label> <fieldForLabel>username</fieldForLabel> <fieldForValue>username</fieldForValue> <search> <query>| makeresults | eval username="Test1" | append [|makeresults | eval username="Test2"] | table username</query> </search> <valuePrefix>"production\</valuePrefix> <prefix>user IN (</prefix> <suffix>)</suffix> <valueSuffix>"</valueSuffix> <delimiter>, </delimiter> </input> </fieldset> <row> <panel> <table> <search> <query>| makeresults | eval user="production\Test1", action="Action1" | append [| makeresults | eval user="production\Test2", action="Action2"] | append [| makeresults | eval user="production\Test3", action="Action3"] | where $user$</query> <earliest>@h</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Please help me to Optimize this Splunk Query index:: rasp_ NOT [inputlookup Scanners_Ext.csv | fields forwarded_for] NOT [inputlookup Scanners_Int.csv | rename ip_addr AS forwarded_for | field... See more...
Please help me to Optimize this Splunk Query index:: rasp_ NOT [inputlookup Scanners_Ext.csv | fields forwarded_for] NOT [inputlookup Scanners_Int.csv | rename ip_addr AS forwarded_for | fields forwarded_for] NOT [inputlookup vz_nets.csv | rename netblock AS forwarded_for | fields forwarded_for] NOT (forwarded_for="140.108.26.152" OR forwarded_for="" OR forwarded_for="10.*" OR forwarded_for=null) app!="" app!="\"*\"" app!="VASTID*" host!="10.215*" host!="ip-10-*" host!="carogngsa*" host!="carogngta*" host!="carofuzedd** host!="*ebiz*" host!="echo*" host!="not logged" host!="onm*" host!="tfnm*" host!="voip*" host!="wfm*" category!="Config*" category!="Depend*" category!="Stat*" category!="Large*" category!="Uncaught*" category!="Unvalidated Redirect" category!="License" category!="*Parse*" action=* | stats count
Connection reset means that the other end either completely refused to connect or for some reason decided that the connection is erroneous and closed it abruptly. It is fairly uncommon for a HTTP se... See more...
Connection reset means that the other end either completely refused to connect or for some reason decided that the connection is erroneous and closed it abruptly. It is fairly uncommon for a HTTP server to properly respond to a request and close the connection abruptly like that (although it's not unheard of) - typically the server, even if the HTTP response contains an errorcode, closes the connection gracefully. Also in such case you'd see some response. So it's more probable that either the TLS handshake is terminated due to some error in connection negotiation or there is some network-level problem or you are simply connecting to a wrong port. The easiest way to troubleshoot would be to check network traffic on both ends during such curl request.
First things first. 1. Does the splunkd process run on the indexer? 2. Does it listen on the 8089 port? 3. Can you reach indexer's 8089 port from the SH? 4. What does "splunk status" say on the i... See more...
First things first. 1. Does the splunkd process run on the indexer? 2. Does it listen on the 8089 port? 3. Can you reach indexer's 8089 port from the SH? 4. What does "splunk status" say on the indexer?
This query will give the number of warnings for each indexer. index=_internal source=*license_usage.log type=SlaveWarnSummary
I created a  dashboard with an input  that allows the user to select a user field from a dropdown that's populated by a lookup table.  I need to use a multiselect input type to allo users to filter f... See more...
I created a  dashboard with an input  that allows the user to select a user field from a dropdown that's populated by a lookup table.  I need to use a multiselect input type to allo users to filter for one user or all users. I created a change form  to prefix the selected user with "production\" and run a query In the  panel that retrieves firewall events  where the user = the new token value (prefixed with "production\") since the user in the firewall index is prefixed with "production". the issue is that the set token  runs whenever i change the value in the multiselect and appends "production\" to the token value multiple times Is there a way to set the token AFTER the user has set the filter? also how do I filter for ALL events (when the user select ALL in the multiselect input? below is my XML code. Thanks in advance. <dashboard version="1.1" theme="light"> <label>new firewall</label> <row> <panel> <title> Request Information</title> <input type="multiselect" token="webuser" searchWhenChanged="true"> <label>User</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <delimiter> </delimiter> <fieldForLabel>UserName</fieldForLabel> <fieldForValue>UserName</fieldForValue> <search> <query>| inputlookup my_users.csv | dedup UserName | table UserName</query> </search> <change> <set token="webuser">prod\\$webuser$</set> </change> </input> <input type="time" token="webtime" searchWhenChanged="true"> <label></label> <default> <earliest>-4h@m</earliest> <latest>now</latest> </default> </input> <table> <search> <query>( index = main sourcetype = firewall ) action=blocked | search [ inputlookup my_users.csv | eval userName = "prod\\".UserName | rename userName as user | table user ] |table _time, $webuser$ index, action |search user=$webuser$</query> <earliest>$webtime.earliest$</earliest> <latest>$webtime.latest$</latest> </search> <option name="drilldown">cell</option> </table> </panel> </row> </dashboard>      
I'd like to include this in an email alert. I've got various emails to alert when going over but I'd like to show the number of warnings in that 60 day rolling window. 
Have you check that those indexes are there and splunk is running there without issues? Basically if you have GUI enabled on IDX you can try query from there or use CLI and do queries on command lin... See more...
Have you check that those indexes are there and splunk is running there without issues? Basically if you have GUI enabled on IDX you can try query from there or use CLI and do queries on command line too. Check also if there is any issues with internal logs. You can query those from internal indexes like  index=_internal log_level IN (error, warn)
*SIGH* I guessed that this might be the reason. It is just annoying that the settings from other apps are shown in part of the settings, but not this one.
Hi @ranafge  Do those 7 medium events look like the ones you would expect to see in the dashboards? Without seeing the data its hard for us to work out so please provide redacted samples if you can.... See more...
Hi @ranafge  Do those 7 medium events look like the ones you would expect to see in the dashboards? Without seeing the data its hard for us to work out so please provide redacted samples if you can. Is the data JSON structured? Does it have a field data -> vulnerability -> severity when looking at the event(s)?  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @akanksha01  The ECONNRESET error indicates that the TCP connection was abruptly closed by the Splunk server or an intermediary network device (like a firewall or load balancer) before the reques... See more...
Hi @akanksha01  The ECONNRESET error indicates that the TCP connection was abruptly closed by the Splunk server or an intermediary network device (like a firewall or load balancer) before the request could be fully processed or the response sent. The curl command syntax itself for disabling the saved search appears correct. Troubleshooting steps: Verify Network Connectivity: Ensure the IP and port (typically 8089 for the Splunk management port) are correct and reachable from the machine running the curl command. Check for firewalls or network ACLs that might be blocking or resetting the connection at either source or destination. Check Splunk Server Status: Ensure the Splunk instance is running and responsive, are you able to reach the instance using netcat from your source? Examine Splunk Logs: Check the$SPLUNK_HOME/var/log/splunk/splunkd.log on the Splunk server for any errors occurring around the time you ran the curl command. This might provide clues about why the server closed the connection. Check Intermediary Devices: If you are connecting through a load balancer or proxy, check its logs and configuration. It might have shorter timeouts or specific rules causing the connection reset. Simplify the Request: Try the request without --max-time 60 initially to rule out timeout interactions, although disabling an alert should be very fast. You could also apply -v to provide a more verbose output. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi @BlueSocket  The Splunk Web UI under Settings -> Server Settings -> Email Domains -> Allowed Domains specifically reads from and writes to the global configuration file located at $SPLUNK_HOME/et... See more...
Hi @BlueSocket  The Splunk Web UI under Settings -> Server Settings -> Email Domains -> Allowed Domains specifically reads from and writes to the global configuration file located at $SPLUNK_HOME/etc/system/local/alert_actions.conf. Since you configured allowedDomainList within an app context ($SPLUNK_HOME/etc/apps/my_app/local/alert_actions.conf), Splunk correctly applies this setting during its configuration layering process. This is why btool shows the setting as active and the warning message in Splunk Web disappears. However, the UI page itself is designed only to display and manage the setting present in the system/local directory. It does not reflect settings inherited from app-level configurations. Your configuration is active and enforced, but it won't appear on that specific UI page unless you define it globally in $SPLUNK_HOME/etc/system/local/alert_actions.conf. Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Hi Team, I am using following CURL command curl -k -u admin:password -X POST https://<host>:<port>/servicesNS/akanksha_goel1/search/saved/searches/Clickstream-Microsurvey-Failure-Alert-Rule... See more...
Hi Team, I am using following CURL command curl -k -u admin:password -X POST https://<host>:<port>/servicesNS/akanksha_goel1/search/saved/searches/Clickstream-Microsurvey-Failure-Alert-Rule-Dev -d "disabled=1" --max-time 60 -H "Content-Type: application/x-www-form-urlencoded" But I am getting error as Error: read ECONNRESET kindly help us resolve the issue!
Hi @livehybrid  First of all, thanks for your response. When I search using index="wazuh-alerts", I get lots of events. For the search index="wazuh-alerts" "Medium", I get 7 events.
I just upgraded to 9.4 and I got the new 9.3+ warning in SplunkWeb about the alert_actions.conf allowedDomainList setting not being set and that I should fix it. I have now set the list correctly in... See more...
I just upgraded to 9.4 and I got the new 9.3+ warning in SplunkWeb about the alert_actions.conf allowedDomainList setting not being set and that I should fix it. I have now set the list correctly in an app and deployed the app to machine: /opt/splunk/etc/apps/my_app/local/alert_action.conf [email] allowedDomainList = mydomain.com,myotherdomain.com I then restart Splunk and I get no warnings. I then run the command: /opt/splunk/bin/splunk cmd btool alert_actions list email I see the following: [email] allowedDomainList = mydomain.com,myotherdomain.com I then go into SplunkWeb and I do not see the allowedDomainList warning in the messages list - the issue is fixed. I then go into Settings->Server Settings->Email Domains->Allowed Domains and this setting is empty. I would expect to see "mydomain.com,myotherdomain.com" in the setting control. Even when I have set everything correctly and Splunk Btool shows the right setting and I have restarted Splunk , why is the setting not showing up?
Hi @rfolkert  Yes, you can use the following in the options{} of your visualisation: "backgroundColor": "> primary | seriesByName('color') | lastPoint()"  You can use your own thresholding... See more...
Hi @rfolkert  Yes, you can use the following in the options{} of your visualisation: "backgroundColor": "> primary | seriesByName('color') | lastPoint()"  You can use your own thresholding and logic to determine the "color" field which should render a HTML colour code (such as #00ff00) in this example:   *OR* if you want to use the built-in colour editing capability in Dashboard Studio then set it up as you normally would under "Color and Style" options for your viz, then once done go to the source code section and update to the following: "backgroundColor": "> primary | seriesByName('threshold') | lastPoint() | rangeValue(backgroundColorEditorConfig)" Note, in this example I am using backgroundColor but you can update this to majorColor or whatever other color styling type you wish to use.  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
| makeresults | fields - _time | eval _raw="host,CPU,MeM,UsePct,Swapused Apple1,5,3,2,7 Apple2,4,1,12,9 Apple3,1,2,4,8" | multikv forceheader=1 | table host,CPU,MeM,UsePct,Swapused | lookup hostmetri... See more...
| makeresults | fields - _time | eval _raw="host,CPU,MeM,UsePct,Swapused Apple1,5,3,2,7 Apple2,4,1,12,9 Apple3,1,2,4,8" | multikv forceheader=1 | table host,CPU,MeM,UsePct,Swapused | lookup hostmetrics.csv host | foreach * [| eval fieldvalue=if(fieldname="<<FIELD>>",<<FIELD>>,fieldvalue)] | eval metric=if(fieldvalue < value,"OK","Error") I set up hostmetrics.csv like this | makeresults format=csv data="host,fieldname,value Apple1,CPU,4 Apple3,MeM,2 Apple2,UsePct,8" | outputlookup hostmetrics.csv
I am trying to create a new finding-based detection to group findings together when the risk score exceeds a threshold, similar to the RBA concept. However, I am encountering an issue: when the find... See more...
I am trying to create a new finding-based detection to group findings together when the risk score exceeds a threshold, similar to the RBA concept. However, I am encountering an issue: when the finding (notable) is created, no Entity appears in the Incident Review dashboard, even though the fields risk_object, normalized_risk_object, and risk_object_type have values. Has anyone experienced the same issue?
Hi, I'm having exactly the same problem. I can integrate ThousandEyes with AppDynamics and receive health status and recommendations for tests to be created. I can also create dashboards in AppDynam... See more...
Hi, I'm having exactly the same problem. I can integrate ThousandEyes with AppDynamics and receive health status and recommendations for tests to be created. I can also create dashboards in AppDynamics with ThousandEyes metrics. I just can't sync TE with AppD RUM. Could you tell me how you solved your problem? Thank you very much in advance.
As the title suggests I have a scenario where I have two fields for a single value panel, the first is a number I want to display, but the second field I want to use to color the visualization.  the ... See more...
As the title suggests I have a scenario where I have two fields for a single value panel, the first is a number I want to display, but the second field I want to use to color the visualization.  the color field is a threshold so if i am under threshold green over threshold red and it is returned as a simple boolean 0-1 my basic stats output looks like this, two values, the first is my number displayed, the 2nd my threshold I want to color off of. | stats values(PercentChange) as PercentChange latest(threshold) as threshold the question is how do I tell dashboard studio to color off of the secondary field instead of the field defined as my display value?