Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
All Posts
Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- All Posts
All Posts
10-09-2023
01:04 PM
something like below where Field A,count,B,C are multivalue existing already calculated fields but additionally Field E and F are divided based on domain ( pre calculation we did in last query) but ...
See more...
something like below where Field A,count,B,C are multivalue existing already calculated fields but additionally Field E and F are divided based on domain ( pre calculation we did in last query) but in domain signifying their unique combination values.
10-09-2023
12:34 PM
Compatibility This is compatibility for the latest version Splunk Enterprise, Splunk Cloud, Splunk IT Service Intelligence Platform Version: 9.0, 8.2 CIM Version: 4.X
Labels
- Labels:
-
upgrade
10-09-2023
11:17 AM
2 Karma
Yes, I will create a support request also. A quick and dirty workaround to get at least the same old columns from Rocky9 I can use field ID_LIKE from /etc/os-release: if [ -e $OS_FILE ] && ( (...
See more...
Yes, I will create a support request also. A quick and dirty workaround to get at least the same old columns from Rocky9 I can use field ID_LIKE from /etc/os-release: if [ -e $OS_FILE ] && ( ( (awk -F'=' '/ID_LIKE=/ {print $2}' $OS_FILE | grep -q rhel) ...
10-09-2023
11:07 AM
That is a Splunk-supported add-on so you can submit a support request (if you have entitlement) for RHEL9 support.
10-09-2023
10:56 AM
Hi @inventsekar Thanks for the details. @Dhivakarpn and I are working together. Indexer version 9.0.x
10-09-2023
10:50 AM
The RHS of the blacklist setting must be in key=regex format where key is one of Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, S...
See more...
The RHS of the blacklist setting must be in key=regex format where key is one of Category, CategoryString, ComputerName, EventCode, EventType, Keywords, LogName, Message, OpCode, RecordNumber, Sid, SidType, SourceName, TaskCategory, Type, or User; and regex is a regular expression enclosed in delimiters (quotes can be a delimiter).
10-09-2023
10:22 AM
@gcusello Hi @gcusello/@richgalloway , This regex is not getting applied forthe events. I believe we need to blacklist by using parent field ?? blacklist3 = $XmlRegex="<EventID\>4688\<\/EventI...
See more...
@gcusello Hi @gcusello/@richgalloway , This regex is not getting applied forthe events. I believe we need to blacklist by using parent field ?? blacklist3 = $XmlRegex="<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)" This is the actual log from EventViewer : A new process has been created. Creator Subject: Security ID: SYSTEM Account Name: SECUREJUMP$ Account Domain: EC Logon ID: 0x3E7 Target Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Process Information: New Process ID: 0x561c New Process Name: C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe Token Elevation Type: %%1936 Mandatory Label: Mandatory Label\System Mandatory Level Creator Process ID: 0x3520 Creator Process Name: C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe Process Command Line: Thanks
10-09-2023
10:18 AM
Hello, I'm trying to create a dashboard in dashboard studio but I can't use the map visualization because it doesn't render all the way through. I'll give you two examples of queries and respective ...
See more...
Hello, I'm trying to create a dashboard in dashboard studio but I can't use the map visualization because it doesn't render all the way through. I'll give you two examples of queries and respective visualizations: 1) Map (Bubble) index=*************
| iplocation src
| geostats latfield=lat longfield=lon count by Country 2) Map - Choropleth index=**************
| iplocation src
| lookup geo_countries latitude AS lat longitude AS lon OUTPUT featureId AS country
| stats count by country
| geom geo_countries featureIdField=country This only happens in dashboard studio, maps render perfectly in classic dashboards. How can I fix this? Any configuration missing? Thank you!
Labels
- Labels:
-
Dashboard Studio
10-09-2023
10:09 AM
Hi @wbazan It will not initially include the ability to print all rows of a table, since we do not want to override your specified dashboard layout in order to include all rows. Some alternatives cou...
See more...
Hi @wbazan It will not initially include the ability to print all rows of a table, since we do not want to override your specified dashboard layout in order to include all rows. Some alternatives could be to (1) include all rows in the dashboard display, or (2) schedule and email a report to display all rows of a table.
10-09-2023
10:04 AM
App: https://splunkbase.splunk.com/app/833 It looks like the nfsiostat.sh script is not compatible with the RHEL9. I'm testing with Rocky9.2 and the nfsiostat command output is already different to ...
See more...
App: https://splunkbase.splunk.com/app/833 It looks like the nfsiostat.sh script is not compatible with the RHEL9. I'm testing with Rocky9.2 and the nfsiostat command output is already different to 7.9. EDIT: It seems to support RHEL9 explicitly (without the new columns), but NOT Rocky9. Example from 7.9: # nfsiostat
server:/mnt/yumrepo mounted on /repos/pkg.repo.d:
op/s rpc bklog
33.88 0.00
read: ops/s kB/s kB/op retrans avg RTT (ms) avg exe (ms)
1.382 43.682 31.613 3357 (0.0%) 0.612 1.551
write: ops/s kB/s kB/op retrans avg RTT (ms) avg exe (ms)
4.595 138.038 30.041 1041 (0.0%) 1.659 11.039 Example from Rocky9.2: - First op/s => ops/s - 2 new metrics: "avg queue (ms)" and "errors" server:/mnt/yumrepo mounted on /repos/pkg.repo.d:
ops/s rpc bklog
0.453 0.000
read: ops/s kB/s kB/op retrans avg RTT (ms) avg exe (ms) avg queue (ms) errors
0.000 0.001 1.356 0 (0.0%) 0.096 0.108 0.006 0 (0.0%)
write: ops/s kB/s kB/op retrans avg RTT (ms) avg exe (ms) avg queue (ms) errors
0.001 0.035 25.519 0 (0.0%) 0.562 0.600 0.027 0 (0.0%) nfsiostat.sh script cannot parse the new format and currently I get something like this: # /usr/ipbx/splunkforwarder/etc/apps/Splunk_TA_nix/bin/nfsiostat.sh
Mount Path r_op/s w_op/s r_KB/s w_KB/s rpc_backlog r_avg_RTT w_avg_RTT r_avg_exe w_avg_exe
server:/mnt/yumrepo /repos/pkg.repo.d read: write: ops/s ops/s 0.000 avg avg RTT RTT
0.000 0.001 rpc 0.096 0.108
0.001 0.453 read: 0.000 ops/s avg RTT
write: kB/o ops/s rpc mounted
Labels
- Labels:
-
installation
10-09-2023
09:55 AM
Two of my indexer is not working they are not receiving data from Universal forwarder. when i run the command ./splunk display listen so it shows 9998 is listening and ./splunk list forward-server ...
See more...
Two of my indexer is not working they are not receiving data from Universal forwarder. when i run the command ./splunk display listen so it shows 9998 is listening and ./splunk list forward-server gives the below result. Active forwards: 10.246.250.154:9998 (ssl) Configured but inactive forwards: 10.246.250.155:9998 10.246.250.156:9998 Let me know what i can do to activate the other two indexers
Labels
- Labels:
-
indexer
-
universal forwarder
10-09-2023
09:53 AM
1 Karma
Are you indexing any of your CMDB info in Splunk already? You can setup automated entity updates for ITSI, and an easy way to do this is with a Splunk SPL query on data already indexed. Here is mor...
See more...
Are you indexing any of your CMDB info in Splunk already? You can setup automated entity updates for ITSI, and an easy way to do this is with a Splunk SPL query on data already indexed. Here is more info in Docs. If you don't have this sort of thing, a CSV-formatted file is a good starting point since that can already be used to manually update via the gui. Also keep in mind that if your CMDB can generate that csv for you, then you might as well index that file in Splunk (and you're back to the first paragraph)
10-09-2023
09:51 AM
1 Karma
Hi @AL3Z, please try this regex: \<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \...
See more...
Hi @AL3Z, please try this regex: \<EventID\>4688\<\/EventID\>.*\<Data Name\=\'NewProcessName\'\>.*(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense\.exe)|(C:\\Program Files \(x86\)\\Tanium\\Tanium Client\\TaniumCX\.exe) that you can test at https://regex101.com/r/053rNX/1 Ciao. Giuseppe
10-09-2023
09:45 AM
The destination dashboard would just need to be ready/able to handle the token(s) you are passing it from your source dashboard. Here's more info on setting up the source dashboard for linking. ...
See more...
The destination dashboard would just need to be ready/able to handle the token(s) you are passing it from your source dashboard. Here's more info on setting up the source dashboard for linking.
10-09-2023
09:38 AM
Hi, Looking for some assistance with Regex to blacklist inputs.conf on Windows Systems. We modified inputs.conf located: /opt/apps/splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf ...
See more...
Hi, Looking for some assistance with Regex to blacklist inputs.conf on Windows Systems. We modified inputs.conf located: /opt/apps/splunk/etc/deployment-apps/Splunk_TA_windows/local/inputs.conf Applied Regex : blacklist1 = EventCode="4688" $XmlRegex="<Data Name='NewProcessName'>
(C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe)|(C:\\Program Files (x86)\\Tanium\\Tanium Client\\TaniumCX.exe)
</Data>" I attempted all available methods to blacklist the events above, but they did not take effect. Do we need to make modifications in order to successfully blacklist them? Thanks
Labels
- Labels:
-
regex
10-09-2023
08:50 AM
Hi @Sujal Kumar.Mitra,
Did you click over into the 'Platforms' tab?
10-09-2023
08:18 AM
Hi @ManjunathNargun The key is to have the searches execute before their next schedule time. If you run a search every 5 min it should not take more then 5 min to complete. See https://docs.sp...
See more...
Hi @ManjunathNargun The key is to have the searches execute before their next schedule time. If you run a search every 5 min it should not take more then 5 min to complete. See https://docs.splunk.com/Documentation/Splunk/9.1.1/Search/Writebettersearches on how to write efficient searches. Other options are to reduce search frequency or add more search resources (search head and indexer CPU resources) /Seb
10-09-2023
08:09 AM
HI @bas28! "Is it possible that Splunk cannot collect certain values even though others are being collected?" No. In my experience it is aways something missing between the entity filtering per serv...
See more...
HI @bas28! "Is it possible that Splunk cannot collect certain values even though others are being collected?" No. In my experience it is aways something missing between the entity filtering per service, entity definition in the KPI searches and or some issue with the field normalisation (metric) of the KPI base search. Double check that those things are alright. Last thing to check could be ingest delay and that data is arriving in time for the KPI search to pick it up. /Seb
10-09-2023
07:58 AM
1 Karma
Hi @prakashsbk, could you share your search? you should use something like this: <your_search>
| stats dc(AlertStatus) AS AlertStatus_count values(AlertStatus) AS AlertStatus BY IncidentID
| searc...
See more...
Hi @prakashsbk, could you share your search? you should use something like this: <your_search>
| stats dc(AlertStatus) AS AlertStatus_count values(AlertStatus) AS AlertStatus BY IncidentID
| search AlertStatus_count<2 AND AlertStatus = "CREATE"
| table IncidentID AlertStatus having your search I could be more detailed. Ciao. Giuseppe
10-09-2023
07:53 AM
Hi @vijreddy30, when you create a user and you don't want to see some objects, you have to assign him/her a different role so he/she can see only the enabled indexes and objects with read all grants...
See more...
Hi @vijreddy30, when you create a user and you don't want to see some objects, you have to assign him/her a different role so he/she can see only the enabled indexes and objects with read all grants. When you create the role, don't use inheritance from the user role otherwise the new role will have the same grants of user. Ciao. Giuseppe
