Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-17-2023
09:27 AM
2 Karma
A user is unable to access investigations in Enterprise Security (version ES 7.1.1) on Splunk Cloud (Splunk 9.0.2) . When clicking on investigations from the main menu the message "You do not have pe...
See more...
A user is unable to access investigations in Enterprise Security (version ES 7.1.1) on Splunk Cloud (Splunk 9.0.2) . When clicking on investigations from the main menu the message "You do not have permissions to access investigations" appears. The user is assigned the ESS Analyst role which includes the capability Manage-All-Investigations. any ideas? Thanks in advance.
Labels
- Labels:
-
using Enterprise Security
10-17-2023
09:14 AM
But, i'm still not able to view extracted field_header properly in interesting fields. i can only view "key" and "value" in interesting fields. I'm searching in verbose mode.
10-17-2023
09:12 AM
Hello, Below Column Chart Results and visualization, I wanted to show different colors for field Values. like AU Pre & AU Post as one color DE Pre & DE Post as one color. I'm using this b...
See more...
Hello, Below Column Chart Results and visualization, I wanted to show different colors for field Values. like AU Pre & AU Post as one color DE Pre & DE Post as one color. I'm using this but doesn't work <option name="charting.fieldColors">{"AU Pre":0x333333,"AU Post":0xd93f3c,"JP Pre":0xeeeeee,"JP Post":0x65a637,"DE Pre":0xeeeeee,"DE Post":0x65a637}</option> market limit spend AU Pre 1462912 884854 AU Post 2160567 1166031 DE Pre 91217 76973 DE Post 160221 97906 JP Pre 1621712 1015115 JP Post 2787394 1282541
- Tags:
- chart
Labels
- Labels:
-
javascript
10-17-2023
09:09 AM
Hi, As I was wondering can we blacklist the processname like "-" in the inputs.conf of DS ?? to save the splunk license . Sample Event: <Event xmlns='http://schemas.microsoft.com/win/20...
See more...
Hi, As I was wondering can we blacklist the processname like "-" in the inputs.conf of DS ?? to save the splunk license . Sample Event: <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/><EventID>4624</EventID><Version>3</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-10-17T16:07:15.4402877Z'/><EventRecordID>455140</EventRecordID><Correlation ActivityID='{b2071651-382e-4101-85e8-28f5e9b1b5d5}'/><Execution ProcessID='1112' ThreadID='3816'/><Channel>Security</Channel><Computer>xyz.com</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>NULL SID</Data><Data Name='SubjectUserName'>-</Data><Data Name='SubjectDomainName'>-</Data><Data Name='SubjectLogonId'>0x0</Data><Data Name='TargetUserSid'>NT AUTHORITY\SYSTEM</Data><Data Name='TargetUserName'>xxx$</Data><Data Name='TargetDomainName'>xyx.COM</Data><Data Name='TargetLogonId'>0xb126027</Data><Data Name='LogonType'>3</Data><Data Name='LogonProcessName'>Kerberos</Data><Data Name='AuthenticationPackageName'>Kerberos</Data><Data Name='WorkstationName'>-</Data><Data Name='LogonGuid'>{c425351a-8525-d2f0-f686-1a0aff9db449}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x0</Data><Data Name='ProcessName'>-</Data><Data Name='IpAddress'>127.0.0.1</Data><Data Name='IpPort'>0</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='RemoteCredentialGuard'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event> Thanks
Labels
- Labels:
-
regex
10-17-2023
09:08 AM
1 Karma
Gi <input type="dropdown" token="tok_usecase" searchWhenChanged="true">
<label>Use Case</label>
<choice value=""01"">Use Case 01</choice>
<choice value=""02"...
See more...
Gi <input type="dropdown" token="tok_usecase" searchWhenChanged="true">
<label>Use Case</label>
<choice value=""01"">Use Case 01</choice>
<choice value=""02"">Use Case 02</choice>
<choice value=""03"">Use Case 03</choice>
<choice value=""04"">Use Case 04</choice>
<choice value=""05"">Use Case 05</choice>
<choice value=""06"">Use Case 06</choice>
<default>"01"</default>
<initialValue>"01"</initialValue>
<change>
<condition label="Use Case 05">
<set token="ShowPanel">true</set>
<unset token="tok_audit"></unset>
<unset token="tok_taskID"></unset>
<unset token="tok_sessID"></unset>
</condition>
<condition match="true()">
<unset token="ShowPanel"></unset>
<unset token="tok_audit"></unset>
<unset token="tok_taskID"></unset>
<unset token="tok_sessID"></unset>
</condition>
</change>
</input> ve this a try
10-17-2023
09:08 AM
Hi @Mohammed Saad.Shaikh,
Check out all of AppDs APIs here: https://docs.appdynamics.com/appd/23.x/latest/en/extend-appdynamics/appdynamics-apis
Please follow up if you find an API that answers y...
See more...
Hi @Mohammed Saad.Shaikh,
Check out all of AppDs APIs here: https://docs.appdynamics.com/appd/23.x/latest/en/extend-appdynamics/appdynamics-apis
Please follow up if you find an API that answers your question. Knowledge sharing is what makes this place helpful.
10-17-2023
08:58 AM
@bowesmana Thank you !!! I had modified the query and and achieved what I'm looking for.....
| foreach *_spend_limit
[ eval type=if(match("<<MATCHSEG1>>","old"), "Pre", "Post"), MV=mvappend(mvz...
See more...
@bowesmana Thank you !!! I had modified the query and and achieved what I'm looking for.....
| foreach *_spend_limit
[ eval type=if(match("<<MATCHSEG1>>","old"), "Pre", "Post"), MV=mvappend(mvzip(mvzip('<<MATCHSEG1>>_limit', '<<FIELD>>', ";"), type, ";"), MV) ]
| fields market MV
| mvexpand MV
| rex field=MV "(?<limit>[^\;]*);(?<spend>[^\;]*);(?<type>.*)"
| eval market=market." ".type
| fields market limit spend
10-17-2023
08:53 AM
Did you deploy any props.conf for this sourcetype on your search head? Since you're doing index time field extraction (with INDEXED_EXTRACTIONS = json), there is no need to search time field extracti...
See more...
Did you deploy any props.conf for this sourcetype on your search head? Since you're doing index time field extraction (with INDEXED_EXTRACTIONS = json), there is no need to search time field extraction. I've seen props.conf with search time field extraction (KV_MODE = json) along with index time field extraction causing double extraction. You need to use one. If you just want index time field extraction, explicitly set KV_MODE = none on search head.
10-17-2023
08:50 AM
Hello, I am trying to set-up a ShowPanel token that I will use later on in the dashboard in this way: <panel depends="$ShowPanel$"> Here is how I am setting it up <input type="...
See more...
Hello, I am trying to set-up a ShowPanel token that I will use later on in the dashboard in this way: <panel depends="$ShowPanel$"> Here is how I am setting it up <input type="dropdown" token="tok_usecase" searchWhenChanged="true">
<label>Use Case</label>
<choice value=""01"">Use Case 01</choice>
<choice value=""02"">Use Case 02</choice>
<choice value=""03"">Use Case 03</choice>
<choice value=""04"">Use Case 04</choice>
<choice value=""05"">Use Case 05</choice>
<choice value=""06"">Use Case 06</choice>
<default>"01"</default>
<initialValue>"01"</initialValue>
<change>
<condition match="$tok_usecase$=="05"">
<set token="ShowPanel">true</set>
<unset token="tok_audit"></unset>
<unset token="tok_taskID"></unset>
<unset token="tok_sessID"></unset>
</condition>
<condition match="$tok_usecase$!="05"">
<unset token="ShowPanel"></unset>
<unset token="tok_audit"></unset>
<unset token="tok_taskID"></unset>
<unset token="tok_sessID"></unset>
</condition>
</change>
</input> but it seems the $ShowPanel$ token is not valorized. I tried to print it in the panel title but it appears as $ShowPanel$ instead of having the value equal to "true". Do you know where the error is? Thanks a lot, Edoardo
- Tags:
- dashboard
Labels
- Labels:
-
dashboard
-
panel
-
simple XML
10-17-2023
08:39 AM
There's probably a JSON-ic way to do that (assuming the event is pure JSON), but rex can handle a few fields nicely. Assuming the order of fields is fixed, this regex should do it. | rex "Receiv...
See more...
There's probably a JSON-ic way to do that (assuming the event is pure JSON), but rex can handle a few fields nicely. Assuming the order of fields is fixed, this regex should do it. | rex "Received update request (?<IL_Customer>[^\.]+)\. Size of array: (?<ArraySize>\d+)"
10-17-2023
08:36 AM
Hello @yannK is this still possible to split and get two .lic files? Thanks!
10-17-2023
08:24 AM
I'd also settle for a slow response!
10-17-2023
08:17 AM
{ [-] logger: org.mule.runtime.core.internal.processor.LoggerMessageProcessor message: Received update request IL_Customer. Size of array: 1 properties: { [-] correlationId: 4b910aa...
See more...
{ [-] logger: org.mule.runtime.core.internal.processor.LoggerMessageProcessor message: Received update request IL_Customer. Size of array: 1 properties: { [-] correlationId: 4b910aaf-d316-4594-8eda-c56e861499d3 I want to extract the IL_customer and array size from the above log. What will be the regular expression. Thanks in Advance
- Tags:
- rex
Labels
- Labels:
-
rex
10-17-2023
08:14 AM
1 Karma
Hello, all! Im hopefully looking for an ELI5 (explain like im 5) on the best way to migrate indexer cluster database to an entirely new cluster environment. The end goal is to decommission the cur...
See more...
Hello, all! Im hopefully looking for an ELI5 (explain like im 5) on the best way to migrate indexer cluster database to an entirely new cluster environment. The end goal is to decommission the current setup. My current setup. RHEL 7, physical, splunk 8.2.4. All log sources are still flowing to this setup. 3sh cluster, 3 idx cluster, 1cm, etc. New: RHEL 8, AWS/VM's, splunk 9.1.1. This setup is still empty with no logs/sources flowing here yet. 3sh cluster, 3 idx cluster, 1cm, etc. From what i found online.. merging the 3 new indexers into the old cluster seems to be the preferred method. Does anyone have a link to a detailed writeup on how to do so with all the little nuances comes with it? are differing splunk versions okay? do i change rep factor? im sure there are a bunch of steps to this method. I appreciate any help!
Labels
- Labels:
-
indexer clustering
-
search peer
10-17-2023
08:05 AM
It's my understanding that the default frozenTimePeriodInSecs is 6 years. I am confused about what this graph means for my _internal index. This is Data Age vs Frozen Age. 1. I don' t have 1.461...
See more...
It's my understanding that the default frozenTimePeriodInSecs is 6 years. I am confused about what this graph means for my _internal index. This is Data Age vs Frozen Age. 1. I don' t have 1.461 days of data because my deployment isn't that old. 2. This appears that my frozen age is 30 days? I'm not really sure that this number means.
Labels
10-17-2023
07:37 AM
Try something like this index=bla "JOB Initiated" OR "JOB Completed"
``` If your ID is not already extracted, then extract it ```
| rex field=_raw "(?<id>your_regex_to_extract_id)"
| stats count as ...
See more...
Try something like this index=bla "JOB Initiated" OR "JOB Completed"
``` If your ID is not already extracted, then extract it ```
| rex field=_raw "(?<id>your_regex_to_extract_id)"
| stats count as eventCount range(_time) as duration by ID
So this will assume 2 events per ID and the range(_time) will calculate duration. You can always then check eventCount=2 to make sure you have seen both events.
10-17-2023
07:25 AM
Is this more like what you envision? index=_internal
| fieldsummary
| eventstats sum(count) as Total
``` Get rid of fields we don't need ```
| fields - max mean min stdev is_exact
``` Convert the va...
See more...
Is this more like what you envision? index=_internal
| fieldsummary
| eventstats sum(count) as Total
``` Get rid of fields we don't need ```
| fields - max mean min stdev is_exact
``` Convert the values array to a multi-value field ```
| eval mv_values=json_array_to_mv(values)
``` Put each value into a separate event ```
| mvexpand mv_values
``` Extract value and its count ```
| rex field=mv_values "value\\\":\\\"(?<value>[^\"]+)\\\",\\\"count\\\":(?<valueCount>\d+)"
| eval Pct=round(valueCount*100/Total,2)
| table field value valueCount Pct
10-17-2023
07:08 AM
2 Karma
I don't like abandoned threads, so after hours and hours with Splunk Tech Support and having opened multiple cases on this issue I have something worth sharing. You may need to do Two things to get ...
See more...
I don't like abandoned threads, so after hours and hours with Splunk Tech Support and having opened multiple cases on this issue I have something worth sharing. You may need to do Two things to get this to work / install: First Part 1. using the command line stop Splunk from running, so run SPLUNK STOP on Windows it may look somethign like this C:\Program Files\Splunk\bin>splunk stop 2. then run the install MSI with the LAUNCHSPLUNK=0 parameter (no it does not have to be all in caps, not on Windows anyways) C:\Software\Splunk>splunk-9.1.1-64e843ea36b1-x64-release.msi launchsplunk=0 Alright, that may get it installed, but afterwards you will notice it does not want to start, but that's ok, I will show you what to do to get it to start in the follow up post.
10-17-2023
06:52 AM
I would like to get the percentage of some count field from the total count for example: after using fieldsummary I got this: [{"value":"/System/Library/LaunchAgents/com.apple.mdworker.shared.plis...
See more...
I would like to get the percentage of some count field from the total count for example: after using fieldsummary I got this: [{"value":"/System/Library/LaunchAgents/com.apple.mdworker.shared.plist","count":61372} under value key and the total count events is1,039,803, so in a new field I want to get the calculate for how much in percentage the count (61372) is from the total (1,039,803), this result I want to get to all my fields.
10-17-2023
06:50 AM
I'm seeing the same errors. It's looking to perform a GET on an object that doesn’t exist in S3. Did you find a solution?
