All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hi, i have 2 lookup tables, which are lookup A and B. Both of the lookups contain field Hostname and IP. There is some scenario like below: Lookup A Hostname        IP Host   A           10.10.10... See more...
Hi, i have 2 lookup tables, which are lookup A and B. Both of the lookups contain field Hostname and IP. There is some scenario like below: Lookup A Hostname        IP Host   A           10.10.10.1                            10.10.10.2 Host    B          172.1.1.1   Lookup B Hostname        IP Host   A           10.10.10.1 Host    B          172.1.1.1                            172.1.1.2 Based on scenario above,  I need a result on IP which lookup A and B does not match based on Host. But as long 1 IP in lookup A matches with lookup B, it is fine and lookup B should not have multiple IP. So, it should not match even have match IP. For your info,both lookups have multiple IPs for a host. Based on above lookup sample, Host A should match and Host B should not match based on my condition. Please assist on this. Thank you
Hi @AL3Z, don't use quotes: blacklist5 = \<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program... See more...
Hi @AL3Z, don't use quotes: blacklist5 = \<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe) Ciao. Giuseppe
Hi All,  We are a Splunk Cloud customer having ES.   Is there a way to fetch the ISP,  domain info for an IP address directly in the splunk results ?  I have looked at this post  : https://community.... See more...
Hi All,  We are a Splunk Cloud customer having ES.   Is there a way to fetch the ISP,  domain info for an IP address directly in the splunk results ?  I have looked at this post  : https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-query-whois-by-ip/m-p/316975 but Domain Tools add on requires a paid subscription.   Alternatively i know that we can setup a workflow to perform whois lookup via right click implementation but that is again a manual task and it ends up redirecting us to whois website.  I am looking for something open source that can fetch me the ISP and domain for an IP-address easily.  Any thoughts or suggestions ?  Any ES users how do you accomplish this ?
Hi @kyoshiike, if you don't knoe SPL, follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial9 that helps you to underst... See more...
Hi @kyoshiike, if you don't knoe SPL, follow the Splunk Search Tutorial (https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchTutorial/WelcometotheSearchTutorial9 that helps you to understand how to search in Splunk. In community there are many answers (also from me) listing all the free trainings that you can follow to use SPL. Ciao. Giuseppe
Hi @yuanliu , noted on that.  Thank you for your assist on this.  its really helpful
Nope, I have added $xmlRegex followed by your regex  Is this a right one as you mentioned in the regex101 if not pls correct it  blacklist5 = EventCode="4688" Message="\<EventID\>4688\<\/EventI... See more...
Nope, I have added $xmlRegex followed by your regex  Is this a right one as you mentioned in the regex101 if not pls correct it  blacklist5 = EventCode="4688" Message="\<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)"   Thanks
Folks, I'm new to SPL worlds. Please advice right direction to learn splunk search.   Environment: proxy log search Situation: Some clients sent massive HTTP request in a small period of time to ... See more...
Folks, I'm new to SPL worlds. Please advice right direction to learn splunk search.   Environment: proxy log search Situation: Some clients sent massive HTTP request in a small period of time to various destinations. (I doubt this clients are infected by malware) How can I find this client by Splunk search with proxy or firewall log? transaction command will help to find how many sessions generated by single IP, but I don't know next steps.   
It's not 4662 it's 4688.  
Hi @AL3Z, this regex seems to not work, Did you tried the one I shared (that works on rgex101)? Ciao. Giuseppe
@gcusello Is this a right format of applying? blacklist5 = EventCode="4688" $XmlRegex=" \<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Adv... See more...
@gcusello Is this a right format of applying? blacklist5 = EventCode="4688" $XmlRegex=" \<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe)"   Thanks..
Hi, I am new to the Observability. I am looking for the steps to integrate Splunk Observability cloud with SMTP server for email notifications. I have looking in the document but could not find any... See more...
Hi, I am new to the Observability. I am looking for the steps to integrate Splunk Observability cloud with SMTP server for email notifications. I have looking in the document but could not find any specific topic as we have in splunk docs  for Splunk Enterprise/Cloud.   Please help . Rgds\Uday    
Hi @Tejkumar451, as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.1/Updating/Configuredeploymentclients , you have to run a CLI command:  splunk set deploy-poll <IP_address/hostn... See more...
Hi @Tejkumar451, as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.1/Updating/Configuredeploymentclients , you have to run a CLI command:  splunk set deploy-poll <IP_address/hostname>:<management_port> or manually modify the file deploymentclient.conf to address your Deployment Server. My hint is to create an Add-On, called e.g. TA_Forwarders, containing at least two files: deploymentclient.conf, to address the Deployment Server, outputs.conf, to address the Indexers. in this way you can dinamically manage eventual change of DS. Ciao. Giuseppe
Hi @AL3Z , as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/Inputsconf , blacklist uses a regex, so if in your logs there isn't the exact string EventCode="4662"  with equ... See more...
Hi @AL3Z , as you can read at https://docs.splunk.com/Documentation/Splunk/9.1.1/admin/Inputsconf , blacklist uses a regex, so if in your logs there isn't the exact string EventCode="4662"  with equal and quotes, the filter doesn't work. Use regex101 (as I did in my first answer) to find the regex to filter your logs. Ciao. Giuseppe
Hi @shai, this means that your index isn't in the search default path for your role [Settings > Roles > your_role > Indexes]. Anyway, it's always a best practice to use the index filter in every se... See more...
Hi @shai, this means that your index isn't in the search default path for your role [Settings > Roles > your_role > Indexes]. Anyway, it's always a best practice to use the index filter in every search, trying to limit the indexes to only the ones where the log to search are stored: this approach redduces the time search. Ciao. Giuseppe
Thanks for your answer but it does not solve the problem. I already tried to solve it  by refreshing the page, restart Splunk, use different browers (edge, firefox and chrome), but nothing helps. So ... See more...
Thanks for your answer but it does not solve the problem. I already tried to solve it  by refreshing the page, restart Splunk, use different browers (edge, firefox and chrome), but nothing helps. So I think the version of the app will not work in Splunk 9.1.1. Unfortunately the app is not supported so it looks like I must look for an alternative (if there is..). There is a Tag Cloud vizualisation but that is not so graphical as Wordcloud. 
my question is very simple.  This returns nothing:   sourcetype=my_sourcetype   This returns X amount of events (same amount as index=my_index):   index=my_index AND sourcetype=my_sourcetype... See more...
my question is very simple.  This returns nothing:   sourcetype=my_sourcetype   This returns X amount of events (same amount as index=my_index):   index=my_index AND sourcetype=my_sourcetype   Search is in: Verbose Mode what am I missing?!  howcome another filter returns more events?
Hi, I have been struggling to fix this blacklist in windows_ta app inputs.conf in the DS and deployed it to clients but it not working as expected, please help me in fixing this issue Still logs ... See more...
Hi, I have been struggling to fix this blacklist in windows_ta app inputs.conf in the DS and deployed it to clients but it not working as expected, please help me in fixing this issue Still logs are ingesting.. Thanks Eagerly waiting for your answers....
You can do it by creating a stacked bar and setting the limit to be the gap (limit-spend) and creating the rows needed for the 4 groups. Here's an example, but I suspect there is a better way | mak... See more...
You can do it by creating a stacked bar and setting the limit to be the gap (limit-spend) and creating the rows needed for the 4 groups. Here's an example, but I suspect there is a better way | makeresults | eval _raw="Country,old_limit,old_spend_limit,new_limit,new_spend_limit USA,84000,37000,121000,43000 Canada,149000,103000,214000,128000" | multikv forceheader=1 | table Country old_limit old_spend_limit new_limit new_spend_limit | foreach *_spend_limit [ eval "<<MATCHSEG1>>_gap"='<<MATCHSEG1>>_limit'-<<FIELD>>, type=if("<<MATCHSEG1>>"="old", "Pre", "Post"), MV=mvappend(mvzip(mvzip('<<MATCHSEG1>>_gap', '<<FIELD>>', ";"), type, ";"), MV) ] | fields Country MV | mvexpand MV | rex field=MV "(?<gap>[^\;]*);(?<spend>[^\;]*);(?<type>.*)" | eval Country=Country." ".type | fields Country gap spend This just creates a gap;spend field for each type (pre/post) and then expands the pair for each country.  
Hello Splunk lovers!  I stacked when i was realize kafka connect on Splunk to KafkaBroker with error "LZ4 compression not implemented". Maybe someone has already had and solved this problem.  So, h... See more...
Hello Splunk lovers!  I stacked when i was realize kafka connect on Splunk to KafkaBroker with error "LZ4 compression not implemented". Maybe someone has already had and solved this problem.  So, how can I solve this problem, please help ?  
你好 @yafei, Splunk 服务器可以访问的数据没有明确的限制。 例如,如果您有分布式集群/非集群环境,则它可以访问任意数量的事件。 如果询问特定于容量规划,下面是 2 个 Splunk 文档,可以帮助您解决相同问题 - - https://docs.splunk.com/Documentation/Splunk/9.1.1/Capacity/Introductiontocapaci... See more...
你好 @yafei, Splunk 服务器可以访问的数据没有明确的限制。 例如,如果您有分布式集群/非集群环境,则它可以访问任意数量的事件。 如果询问特定于容量规划,下面是 2 个 Splunk 文档,可以帮助您解决相同问题 - - https://docs.splunk.com/Documentation/Splunk/9.1.1/Capacity/IntroductiontocapacityplanningforSplunkEnterprise - https://docs.splunk.com/Documentation/Splunk/9.1.1/Capacity/Referencehardware 另外,这里有一个类似的问题 - https://community.splunk.com/t5/Splunk-Enterprise/Capacity-planning-best-practices-for-Splunk-Enterprise/m-p/476931   如果有帮助,请接受解决方案并点击 Karma, 或者如果您对此有任何疑问,请告诉我!