All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

Hey @gcusello @inventsekar  @PickleRick  ++ @Dhivakarpn  adding Environment information. Indexer version 9.x  This in amazon Linux 2023 https://github.com/amazonlinux/amazon-linux-2023 Kernel ve... See more...
Hey @gcusello @inventsekar  @PickleRick  ++ @Dhivakarpn  adding Environment information. Indexer version 9.x  This in amazon Linux 2023 https://github.com/amazonlinux/amazon-linux-2023 Kernel version 6.1. A per our understanding,  UF 9.0.1 can support up to kernel 5.x. This Amazon Linux  3 running with 6.1 kernel version. We would like to know does this configuration supported ? or any issues reported with latest kernel?  
Can you provide an example of what that would look like?
Hi,   Can you check /var/log/syslog on your ubuntu instance and see if there are errors reported?
after performing the query  base search | nomv FieldB | nomv FieldC| nomv FieldD | stats count values(*) as * by FieldA | foreach FieldB,FieldC FieldD [| eval <<FIELD>>=split(<<FIELD>>,"")] my... See more...
after performing the query  base search | nomv FieldB | nomv FieldC| nomv FieldD | stats count values(*) as * by FieldA | foreach FieldB,FieldC FieldD [| eval <<FIELD>>=split(<<FIELD>>,"")] my result table is like below field A count Field c Field D Field E Field F abc.com 2 a b A B abc.com bcf.com def.com sub1 sub 2 sub 3 def.com 4 A B A B bcc.com xyz.com sub 5 sub 6 sub 6 efg.com 6 B A A  B jhg.com abc.com ghj.com sub 4 sub 7 sub 8   I want to  ask is their anyway/operation   that I can perform on field E and field F so that they are throwing unique combination value rather a multivalue filed.  Prior performing count operation in query Field E and F are unique but after count they become multi value which In later stage again I want to tke them to their prior state.  such that where field A,B,C,D remains same but Field E & F are divided further in rows on basis of unique combination of values of field E & F ( but parent unique combination of A,B,C,D remains same)
Hi @st1, the logic of your search isn't so clear for me. Anyway, if you want to have as results only the events in the ast 24 hours, you can run (not changing your search!): index=cisco sourcetype... See more...
Hi @st1, the logic of your search isn't so clear for me. Anyway, if you want to have as results only the events in the ast 24 hours, you can run (not changing your search!): index=cisco sourcetype=cisco:wlc snmpTrapOID_0="CISCO-LWAPP-AP-MIB::ciscoLwappApRogueDetected" | rename cLApName_0 as "HQ AP" | dedup "HQ AP" | stats list(*) as * by _time | where _time>now()-86400 | table _time, "HQ AP", RogueApMacAddress Ciao. Giuseppe
I have the following search index=cisco sourcetype=cisco:wlc snmpTrapOID_0="CISCO-LWAPP-AP-MIB::ciscoLwappApRogueDetected" |rename cLApName_0 as "HQ AP" |dedup "HQ AP" |stats list(*) as * by "_t... See more...
I have the following search index=cisco sourcetype=cisco:wlc snmpTrapOID_0="CISCO-LWAPP-AP-MIB::ciscoLwappApRogueDetected" |rename cLApName_0 as "HQ AP" |dedup "HQ AP" |stats list(*) as * by "_time" |table _time, "HQ AP", RogueApMacAddress Example results: _time HQ AP RogueAPMacAddress 2023-10-05 12:56:41 flr1-ap-5198-AP05 6e:e8:e9:cd:40:10 2023-10-06 04:09:29 flr1-ap-51c4 da:55:b8:8:db:b8 2023-10-06 08:42:14 flr1-ap-514E_AP07 84:fd:d1:fa:a7:3f 2023-10-06 08:53:12 flr1-ap-518C-B92 0:25:0:ff:94:73 2023-10-06 09:20:22 flr2-ap-51CA 28:24:ff:fd:a6:c0 2023-10-06 09:30:58 flr1-ap-51C2 flr2-ap-463C-AP02 32:b:61:48:a3:c3 2023-10-07 04:09:29 flr1-ap-444x-B11 da:55:b8:8:db:b8 2023-10-07 08:53:12 flr1-ap-69x4 0:25:0:ff:94:73   The search is showing access points in our office that have detected unauthorized access points. I have my search to look at the last 24 hours. I only want to filter for RogueApMacAddresses that have been present/detected for over 24 hours. In this example, both the red and blue events have been there for over the last 24 hours. How can I alert on just those events and disregard the rest? Thanks for any help
  I am taking the free GDI training on  Splunk Cloud observability.  Installed Ubuntu VM in my Windows  laptop and everything went ok after initial configurtion. Saw my hostname and metrics once.   ... See more...
  I am taking the free GDI training on  Splunk Cloud observability.  Installed Ubuntu VM in my Windows  laptop and everything went ok after initial configurtion. Saw my hostname and metrics once.   It happened yesterday (10/05/2023) around 22:00 Hrs EST. This morning not seeing any active communication. rebooted my VM. Seeing the process running in VM, but not seeing any active charts in https://app.us1.signalfx.com/#/infra?endTime=now&startTime=-3h.   Am I missing anything? How do i troubleshoot this communication issue?  
Thanks ! your provided answer worked. Additionally, explaining for others coming here. | nomv FieldB —- multivalue command to convert multivalued field to a single value field | nomv FieldC ... See more...
Thanks ! your provided answer worked. Additionally, explaining for others coming here. | nomv FieldB —- multivalue command to convert multivalued field to a single value field | nomv FieldC | nomv FieldD | stats count values(*) as * by FieldA —to get count of field values | foreach FieldB FieldC FieldD [| eval <<FIELD>>=split(<<FIELD>>," ")]. —- for every MV field converted to singlevalue field , converting them back to multivalue fields
Old format, no XML
Do you ingest events as "old format" or XML? With XML events you have to do it differently. https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf * $XmlRegex: Use this key for fil... See more...
Do you ingest events as "old format" or XML? With XML events you have to do it differently. https://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf * $XmlRegex: Use this key for filtering when you render Windows Event log events in XML by setting the 'renderXml' setting to "true". Search the online documentation for "Filter data in XML format with the XmlRegex key" for details.
Hi @SplunkExplorer, there's a difference in the two logs that you have to manage: in the not matching log there's "123(3)" between microsoft and com. Please try this regex: \]\sA\s+(.*)(microsoft... See more...
Hi @SplunkExplorer, there's a difference in the two logs that you have to manage: in the not matching log there's "123(3)" between microsoft and com. Please try this regex: \]\sA\s+(.*)(microsoft|office|azure|o365|onenote|outlook|windowsupdate)(\(\d+\))(\d+\(\d+\))*(com|net|us)(\(\d+\))\s that you can test at https://regex101.com/r/9mZoCU/3 Ciao. Giuseppe
Hi Giuseppe, below the link to regex101 with a used regex and a log that match it: Matching regex  Here same things but with a little change to log that made it not matching the regex, like expe... See more...
Hi Giuseppe, below the link to regex101 with a used regex and a log that match it: Matching regex  Here same things but with a little change to log that made it not matching the regex, like expected: Not matching regex  Another idea is my use of capturing groups; should I use them in another way?
Hi @SplunkExplorer, could you share a sample of your logs (some to filter and some to not filter)? Anyway, after the equal you don't need quotes or other. Ciao. Giuseppe  
Hi Splunkers, I have a problem with a blacklist filter. On customer's UF, we filtered out some events changing the inputs.conf file. The ones based on comma separated list, like Windows EventID, ar... See more...
Hi Splunkers, I have a problem with a blacklist filter. On customer's UF, we filtered out some events changing the inputs.conf file. The ones based on comma separated list, like Windows EventID, are working fine with no problem, while the one based on regex not. Of course, as first thing, I checked regex syntax and I can confirm it works fine; testing it on regex101, it match perfectly what I want. Tests have been with different source logs, to be sure of a full proper working. This is how we placed regex on UF: [<stanza name>] ...other parameter... blacklist = \]\sA\s+(.*)(microsoft|office|azure|o365|onenote|outlook|windowsupdate)(\(\d+\))(com|net|us)(\(\d+\))\s This filter must be applied to logs coming by Windows DNS; its purpose is to avoid ingestion of legit domain, in all their combination, but only if they have a "normal" form. In regex you can see I put a filter about (<number>), because in raw log we have domains in format main_domain(<number>)root_domain, like microsoft(3)net. For example, microsoft(2)com and microsoft(3)net match the regex and should be filtered out, while microsoft(9)123(5)com not and should be sent to Splunk. My assumption is that I missed out some delimiter after the equals symbol; I mean, should I put regex code between any kind of symbols? Something like  regex = '<regex code'> Or regex = "<regex code>" etcetera.
See if this helps.  It assumes the holidays are in a file called 'holidays.csv'.  The lookup contains (at least) two columns called "Begins" and "Ends", which are timestamps in the format mon/day/yea... See more...
See if this helps.  It assumes the holidays are in a file called 'holidays.csv'.  The lookup contains (at least) two columns called "Begins" and "Ends", which are timestamps in the format mon/day/year hour:min. index=error-logs status=401 NOT [| inputlookup holidays.csv ``` Build a search string to exclude dates in the lookup file ``` | eval search="_time>=" . strptime(Begins,"%m/%d/%Y %H:%M") . " _time<=" . strptime(Ends,"%m/%d/%Y %H:%M") | fields search | format ``` Remove quotes from the search string ``` | eval search=replace(search, "\\\"", "")] | stats count This tells Splunk to search the error-logs index for events with status 401 and timestamps (_time field) not given in holidays.csv.  
Hi All... Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists I have added 24 small videos of rex... Completely for Splunk newbies and beginners... See more...
Hi All... Splunk newbie learning videos, for absolute beginners: https://www.youtube.com/@SiemNewbies101/playlists I have added 24 small videos of rex... Completely for Splunk newbies and beginners. hope this helps somebody, thanks.
wow, definitely a case of "your mileage may differ"... this is just a small sample of these alerts here, and on the ones triggered by Splunk, they still seem to function OK: ADPClientService.exe, ve... See more...
wow, definitely a case of "your mileage may differ"... this is just a small sample of these alerts here, and on the ones triggered by Splunk, they still seem to function OK: ADPClientService.exe, version: 4.1.38.0, time stamp: 0x62c69205 AUEPMaster.exe, version: 1910.24.6.725, time stamp: 0x5d39726f AdAutoUpdateSDK.dll, version: 0.0.0.0, time stamp: 0x61dc3463 AdskAccessServiceHost.exe, version: 1.27.0.4, time stamp: 0x61dc35ae AdskUpdateCheck.exe, version: 1.27.0.4, time stamp: 0x61dc3558 CcmProfiler.dll_unloaded, version: 5.0.9106.1000, time stamp: 0x642d9f3d FMEngine.dll, version: 19.2.2.234, time stamp: 0x60451558 KERNEL32.DLL, version: 10.0.17763.4720, time stamp: 0xa2ec4df3 KERNELBASE.dll, version: 10.0.19041.3393, time stamp: 0x6b4de7c9 OUTLOOK.EXE, version: 16.0.10402.20023, time stamp: 0x64ef06a7 smartscreenps.dll, version: 10.0.19041.3031, time stamp: 0x92650ce8 PDFMEngine.dll, version: 23.6.20320.0, time stamp: 0x64f8d26b RPCRT4.dll, version: 10.0.17763.4644, time stamp: 0x565f63ab RtkAudUService64.exe, version: 1.0.0.176, time stamp: 0x5c6f93ad VCRUNTIME140.dll, version: 14.16.27033.0, time stamp: 0x5d30eadf biwinrt.dll, version: 10.0.17763.2989, time stamp: 0x790cc0bc splunk-winevtlog.exe, version: 2304.1280.25713.15594, time stamp: 0x64713ec1
| rex "detection_method=\"(?<detection_method>[^\"]+)\""
Yes, Sure.  1) On the UF download page, you can find the curl command for downloading the UF agent. copy that curl command and run it in your Solaris, it will download the UF agent package.  2) a... See more...
Yes, Sure.  1) On the UF download page, you can find the curl command for downloading the UF agent. copy that curl command and run it in your Solaris, it will download the UF agent package.  2) after downloading the UF package, you can install it using the steps listed here: https://docs.splunk.com/Documentation/Forwarder/9.1.1/Forwarder/Installanixuniversalforwarder#Install_the_universal_forwarder_on_Solaris Let us know if any queries you have got, thanks. 
Hi Splunkers!    I would like to extract detection_method value, "Access Protection" file_name="HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\", detection_method="Access Protecti... See more...
Hi Splunkers!    I would like to extract detection_method value, "Access Protection" file_name="HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM\", detection_method="Access Protection", vendor_action="IDS_ACTION_WOULD_BLOCK", Thanks, Manoj Kumar S