All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi  livehybrid, Thank you for pointing that out to me. Regarding your suggested solution. It was very helpful. I checked the mongod.log using the following command: tail -n 200 $SPLUNK_HOME/var/lo... See more...
Hi  livehybrid, Thank you for pointing that out to me. Regarding your suggested solution. It was very helpful. I checked the mongod.log using the following command: tail -n 200 $SPLUNK_HOME/var/log/splunk/mongod.log The output clearly showed the issue: 2025-03-27T10:16:32.087Z W NETWORK [main] Server certificate has no compatible Subject Alternative Name. This may prevent TLS clients from connecting 2025-03-27T10:16:32.087Z F NETWORK [main] The provided SSL certificate is expired or not yet valid. 2025-03-27T10:16:32.087Z F - [main] Fatal Assertion 28652 at src/mongo/util/net/ssl_manager_openssl.cpp 1182 2025-03-27T10:16:32.087Z F - [main] ***aborting after fassert() failure It turned out that the server SSL certificate had expired. Here are the steps I took to resolve the issue: 1- Backed up the existing certificate: cp $SPLUNK_HOME/etc/auth/server.pem $SPLUNK_HOME/etc/auth/server.pem.bak 2- Generated a new self-signed certificate: splunk createssl server-cert -d $SPLUNK_HOME/etc/auth -n server (This creates a new server.pem valid for 2 years.)  3- restart splunk ./splunk restart 4- Verified KV Store status:  splunk show kvstore-status   #####Note for Search Head Cluster#### Since we’re running a SH cluster, I made sure to: Copy the new server.pem to all search head members. Restart Splunk on each node. These steps fully resolved the issue, and the KV Store is now functioning as expected.  
Hi All, As old estreamer add -on is replaced by new app Cisco security cloud ( https://splunkbase.splunk.com/app/7404) , we have installed new app and testing in distributed environment. We are faci... See more...
Hi All, As old estreamer add -on is replaced by new app Cisco security cloud ( https://splunkbase.splunk.com/app/7404) , we have installed new app and testing in distributed environment. We are facing one issue with intrusion event packet logs which are streaming from FMC into splunk. Whenever "packet data" field in intrusion event packets greater than 4k bytes, it is missing in splunk logs.Only packetdata field is missing, remaining complete log is visible in splunk. And there are no errors related to parsing, truncating issues in splunk _internal index. Does anyone has faced the same issue or any fix for this?
Optimising this will depend on your data. Using subsearches with lookups can be expensive and using NOT with subsearches, even more so. Depending on the volume of entries in those lookups you will b... See more...
Optimising this will depend on your data. Using subsearches with lookups can be expensive and using NOT with subsearches, even more so. Depending on the volume of entries in those lookups you will be better off using a lookup, e.g. index:: rasp_ NOT ( forwarded_for="140.108.26.152" OR forwarded_for="" OR forwarded_for="10.*" OR forwarded_for=null) app!="" app!="\"*\"" app!="VASTID*" host!="10.215*" host!="ip-10-*" host!="carogngsa*" host!="carogngta*" host!="carofuzedd** host!="*ebiz*" host!="echo*" host!="not logged" host!="onm*" host!="tfnm*" host!="voip*" host!="wfm*" category!="Config*" category!="Depend*" category!="Stat*" category!="Large*" category!="Uncaught*" category!="Unvalidated Redirect" category!="License" category!="*Parse*" action=* | lookup Scanners_Ext.csv forwarded_for OUTPUT forwarded_for as found | where isnull(found) | lookup Scanners_Int.csv ip_addr as forwarded_for OUTPUT ip_addr as found | where isnull(found) | lookup vz_nets.csv netblock as forwarded_for OUTPUT netblock as found | where isnull(found) | stats count so the static NOT statement and other != comparisons is part of the search and then you do each lookup in turn and if it's found then it will be discarded. The order of the 3 lookups would be in likely match count order, so the first lookup should be done that would be expected to reduce the event count by the max, and so on. Using NOT or all your != wildcard searches at the beginning will be somewhat expensive, you can use TERM() to reduce data scan count, but that requires knowing your data well.  
I am guessing this is data in a lookup file rather than event data - if you have event data you would already have a time stamp in the event which may or may not be the same as Timestamp. However, i... See more...
I am guessing this is data in a lookup file rather than event data - if you have event data you would already have a time stamp in the event which may or may not be the same as Timestamp. However, in your specific example, assuming no _time field, the just parse the Timstamp field and use stats latest to get the latest, i.e. | makeresults format=csv data="Name,Status,Timestamp ABC,F, 04/24/2025 15:30:03 ABC, R, 04/24/2025 15:15:01" | eval _time = strptime(Timestamp, "%m/%d/%Y %T") | stats latest(*) as * by Name
Hi @livehybrid  First of all, thanks for your response. When I search using index="wazuh-alerts", I get lots of events. For the search index="wazuh-alerts" "Medium", I get 7 events.
That doesn't sound right - are you referring to a multi-value field? | makeresults | fields - _time | eval value=split("ABC","") | search value=A AND value=C This search above will find a result fo... See more...
That doesn't sound right - are you referring to a multi-value field? | makeresults | fields - _time | eval value=split("ABC","") | search value=A AND value=C This search above will find a result for A and C, but if you change it to A and D it does not find results. Can you give an example of your results in the OR case
Note that this means when you select "All" it removes the other options if selected and vice versa, if you have All selected and choose one of the other options, it removes "All" from the list of sel... See more...
Note that this means when you select "All" it removes the other options if selected and vice versa, if you have All selected and choose one of the other options, it removes "All" from the list of selections.
To handle an 'All' static option in the multiselect, add this change element <change> <condition match="$form.webuser=&quot;*&quot;"> <set token="webuser"></set> ... See more...
To handle an 'All' static option in the multiselect, add this change element <change> <condition match="$form.webuser=&quot;*&quot;"> <set token="webuser"></set> </condition> <condition> <eval token="form.webuser">case(mvcount($form.webuser$)="2" AND mvindex($form.webuser$,0)="*", mvindex($form.webuser$,1), mvfind($form.webuser$,"^\\*$$")=mvcount($form.webuser$)-1, "*", true(), $form.webuser$)</eval> </condition> </change>
Hey all - I have a need to search for events in Splunk that contain two specific values in one field. I want the results to return only those events that have both values in them. I'm trying to use t... See more...
Hey all - I have a need to search for events in Splunk that contain two specific values in one field. I want the results to return only those events that have both values in them. I'm trying to use this: (my_field_name="value1" AND my_field_name="value2") This still returns results that have either value1, or value2, not events that contain both. How would I query for results that contain only both values, not individual values?
As a matter of fact, one actually doesn't need to specify the field name, which contains all the key value pair. I used following simple extract parameters: | extract pairdelim="," kvdelim=":" ... See more...
As a matter of fact, one actually doesn't need to specify the field name, which contains all the key value pair. I used following simple extract parameters: | extract pairdelim="," kvdelim=":" One doesn't need to escape "," as done in the first answer!
Hi, I have dataset in the following format Name,Status,Timestamp ABC,F, 04/24/2025 15:30:03 ABC, R, 04/24/2025 15:15:01 I need to be able to only display / render the latest status for a given... See more...
Hi, I have dataset in the following format Name,Status,Timestamp ABC,F, 04/24/2025 15:30:03 ABC, R, 04/24/2025 15:15:01 I need to be able to only display / render the latest status for a given name My output should like the following since the status as of 04/24/2025 15:30:03 is the most recent status. ABC,F, 04/24/2025 15:30:03 Appreciate your help.
Hi @pjac1029  You should use valuePrefix for this: <valuePrefix>"production\</valuePrefix>   You may also need to change some other fields, including your search, so that you get the *OR* ele... See more...
Hi @pjac1029  You should use valuePrefix for this: <valuePrefix>"production\</valuePrefix>   You may also need to change some other fields, including your search, so that you get the *OR* element, I opted for a "WHERE x IN (list)" in the above example. I used: <valuePrefix>"production\</valuePrefix> <prefix>user IN (</prefix> <suffix>)</suffix> <valueSuffix>"</valueSuffix> <delimiter>, </delimiter>   Below is a full working example dashboard: <form version="1.1"> <label>Answers production prefix</label> <fieldset submitButton="false" autoRun="true"> <input type="multiselect" token="user" searchWhenChanged="true"> <label>Username</label> <fieldForLabel>username</fieldForLabel> <fieldForValue>username</fieldForValue> <search> <query>| makeresults | eval username="Test1" | append [|makeresults | eval username="Test2"] | table username</query> </search> <valuePrefix>"production\</valuePrefix> <prefix>user IN (</prefix> <suffix>)</suffix> <valueSuffix>"</valueSuffix> <delimiter>, </delimiter> </input> </fieldset> <row> <panel> <table> <search> <query>| makeresults | eval user="production\Test1", action="Action1" | append [| makeresults | eval user="production\Test2", action="Action2"] | append [| makeresults | eval user="production\Test3", action="Action3"] | where $user$</query> <earliest>@h</earliest> <latest>now</latest> </search> <option name="refresh.display">progressbar</option> </table> </panel> </row> </form>  Did this answer help you? If so, please consider: Adding karma to show it was useful Marking it as the solution if it resolved your issue Commenting if you need any clarification Your feedback encourages the volunteers in this community to continue contributing
Please help me to Optimize this Splunk Query index:: rasp_ NOT [inputlookup Scanners_Ext.csv | fields forwarded_for] NOT [inputlookup Scanners_Int.csv | rename ip_addr AS forwarded_for | field... See more...
Please help me to Optimize this Splunk Query index:: rasp_ NOT [inputlookup Scanners_Ext.csv | fields forwarded_for] NOT [inputlookup Scanners_Int.csv | rename ip_addr AS forwarded_for | fields forwarded_for] NOT [inputlookup vz_nets.csv | rename netblock AS forwarded_for | fields forwarded_for] NOT (forwarded_for="140.108.26.152" OR forwarded_for="" OR forwarded_for="10.*" OR forwarded_for=null) app!="" app!="\"*\"" app!="VASTID*" host!="10.215*" host!="ip-10-*" host!="carogngsa*" host!="carogngta*" host!="carofuzedd** host!="*ebiz*" host!="echo*" host!="not logged" host!="onm*" host!="tfnm*" host!="voip*" host!="wfm*" category!="Config*" category!="Depend*" category!="Stat*" category!="Large*" category!="Uncaught*" category!="Unvalidated Redirect" category!="License" category!="*Parse*" action=* | stats count
Connection reset means that the other end either completely refused to connect or for some reason decided that the connection is erroneous and closed it abruptly. It is fairly uncommon for a HTTP se... See more...
Connection reset means that the other end either completely refused to connect or for some reason decided that the connection is erroneous and closed it abruptly. It is fairly uncommon for a HTTP server to properly respond to a request and close the connection abruptly like that (although it's not unheard of) - typically the server, even if the HTTP response contains an errorcode, closes the connection gracefully. Also in such case you'd see some response. So it's more probable that either the TLS handshake is terminated due to some error in connection negotiation or there is some network-level problem or you are simply connecting to a wrong port. The easiest way to troubleshoot would be to check network traffic on both ends during such curl request.
First things first. 1. Does the splunkd process run on the indexer? 2. Does it listen on the 8089 port? 3. Can you reach indexer's 8089 port from the SH? 4. What does "splunk status" say on the i... See more...
First things first. 1. Does the splunkd process run on the indexer? 2. Does it listen on the 8089 port? 3. Can you reach indexer's 8089 port from the SH? 4. What does "splunk status" say on the indexer?
This query will give the number of warnings for each indexer. index=_internal source=*license_usage.log type=SlaveWarnSummary
I created a  dashboard with an input  that allows the user to select a user field from a dropdown that's populated by a lookup table.  I need to use a multiselect input type to allo users to filter f... See more...
I created a  dashboard with an input  that allows the user to select a user field from a dropdown that's populated by a lookup table.  I need to use a multiselect input type to allo users to filter for one user or all users. I created a change form  to prefix the selected user with "production\" and run a query In the  panel that retrieves firewall events  where the user = the new token value (prefixed with "production\") since the user in the firewall index is prefixed with "production". the issue is that the set token  runs whenever i change the value in the multiselect and appends "production\" to the token value multiple times Is there a way to set the token AFTER the user has set the filter? also how do I filter for ALL events (when the user select ALL in the multiselect input? below is my XML code. Thanks in advance. <dashboard version="1.1" theme="light"> <label>new firewall</label> <row> <panel> <title> Request Information</title> <input type="multiselect" token="webuser" searchWhenChanged="true"> <label>User</label> <choice value="*">All</choice> <default>*</default> <initialValue>*</initialValue> <delimiter> </delimiter> <fieldForLabel>UserName</fieldForLabel> <fieldForValue>UserName</fieldForValue> <search> <query>| inputlookup my_users.csv | dedup UserName | table UserName</query> </search> <change> <set token="webuser">prod\\$webuser$</set> </change> </input> <input type="time" token="webtime" searchWhenChanged="true"> <label></label> <default> <earliest>-4h@m</earliest> <latest>now</latest> </default> </input> <table> <search> <query>( index = main sourcetype = firewall ) action=blocked | search [ inputlookup my_users.csv | eval userName = "prod\\".UserName | rename userName as user | table user ] |table _time, $webuser$ index, action |search user=$webuser$</query> <earliest>$webtime.earliest$</earliest> <latest>$webtime.latest$</latest> </search> <option name="drilldown">cell</option> </table> </panel> </row> </dashboard>      
I'd like to include this in an email alert. I've got various emails to alert when going over but I'd like to show the number of warnings in that 60 day rolling window. 
Have you check that those indexes are there and splunk is running there without issues? Basically if you have GUI enabled on IDX you can try query from there or use CLI and do queries on command lin... See more...
Have you check that those indexes are there and splunk is running there without issues? Basically if you have GUI enabled on IDX you can try query from there or use CLI and do queries on command line too. Check also if there is any issues with internal logs. You can query those from internal indexes like  index=_internal log_level IN (error, warn)
*SIGH* I guessed that this might be the reason. It is just annoying that the settings from other apps are shown in part of the settings, but not this one.